[Freeipa-users] Re: 389-ds and AD integration questions

Prashanth Sundaram psundaram at wgen.net
Mon Sep 21 21:56:55 UTC 2009 



On 9/21/09 12:56 PM, "Rich Megginson" <rmeggins at redhat.com> wrote:

>> Dear FreeIPA community,
>> 
>> I have a bunch of requirements that I am looking forward from
>> ipa-server. Please clarify if these are possible
>> 
>> Background: We are planning to deploy 389-ds(formerly Fedora DS) as
>> our core ldap server in a Multi-Master Replication scenario. We will
>> be having set of slave server to cater at different locations. We want
>> to integrate password authentication with MS Active Directory. 389-DS
>> offers PAM Pass-thru plugin, but it has been quite difficult to
>> configure the parameters and kerberos to get that working. Some of the
>> features I am looking are
>> 
>>    1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active
>>       Directory for password.
>> 
> If you have PAM Kerberos auth working, you should be able to use PAM
> Pass thru. I don't know the details though, but I do know that this is
> one of the primary use cases, to allow simple bind (username/password
> auth) clients to use their kerberos password.

Isn't IPA creating its own Kerberos/kdc server? For my setup, AD is the
kerberos server and I want 389-ds to query the AD for password. I do not
want to configure kerberos on 389-ds or do I have to do that anyway?.

So If I am right, for 389-ds and AD to communicate and exchange data they
both need to be Kerb servers? If that is then do client unix machines need
to be configured with krb5.conf?

I am following the HowToKerberos from 389-ds, where you generate the keytab
in Windows and register it in DS server.

I haven't seen a case scenario in documentation where PAM Passthru is
implemented with AD. And how the Krb5 is configured.


>> 
>>   1.
>> 
>> 
>>    2. Syncing new users automatically between AD and 389-ds including
>>       UNIX attributes in AD(after installing SFU 3.5). Though Windows
>>       Sync agreement does it, we are looking on a finer control over
>>       the OU¹s and objectclass/attributes imported.
>> 
> The IPA winsync plugin will add missing posix attributes when syncing a
> new user entry from AD to IPA. It will not keep them in sync.
 
Is this same as passsync.msi plugin? We are using Windows server 2008
64-bit. Do we have it compatible? How can I setup IPA for the above
scenario?


>>   1.
>> 
>> 
>>    2. Password change in unix world reflect on AD,
>> 
> Yes. IPA winsync will sync password changes from IPA to AD.
Is this a case where,

>> 
>>   1.
>> 
>> 
>>    2. Netgroups, adding hosts to the Directory server and have a
>>       inventory withhostname and IP address and/or perform basic host
>>       tasks.
>> 
> Winsync will not sync the netgroups schema.

I wanted the unix hosts to be shown in 389-ds. Just like Windows boxes are
joined to AD. 


>>   1.
>> 
>> 
>>    2. Create ACI¹s such that support team has only access to create
>>       ldap accounts and update group memberships.
>>    3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0?
>>       Any issues anticipated?
>> 
>> 
>> I am still going through the vast Admin Guide, release notes, user
>> config guide to get these answers and know more. Also let me know if
>> it is worth waiting till 2.0
>> 
>> Thanks,
>> Prashanth
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list