[Freeipa-users] Re: 389-ds and AD integration questions
Prashanth Sundaram
psundaram at wgen.net
Mon Sep 21 21:56:55 UTC 2009
On 9/21/09 12:56 PM, "Rich Megginson" <rmeggins at redhat.com> wrote:
>> Dear FreeIPA community,
>>
>> I have a bunch of requirements that I am looking forward from
>> ipa-server. Please clarify if these are possible
>>
>> Background: We are planning to deploy 389-ds(formerly Fedora DS) as
>> our core ldap server in a Multi-Master Replication scenario. We will
>> be having set of slave server to cater at different locations. We want
>> to integrate password authentication with MS Active Directory. 389-DS
>> offers PAM Pass-thru plugin, but it has been quite difficult to
>> configure the parameters and kerberos to get that working. Some of the
>> features I am looking are
>>
>> 1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active
>> Directory for password.
>>
> If you have PAM Kerberos auth working, you should be able to use PAM
> Pass thru. I don't know the details though, but I do know that this is
> one of the primary use cases, to allow simple bind (username/password
> auth) clients to use their kerberos password.
Isn't IPA creating its own Kerberos/kdc server? For my setup, AD is the
kerberos server and I want 389-ds to query the AD for password. I do not
want to configure kerberos on 389-ds or do I have to do that anyway?.
So If I am right, for 389-ds and AD to communicate and exchange data they
both need to be Kerb servers? If that is then do client unix machines need
to be configured with krb5.conf?
I am following the HowToKerberos from 389-ds, where you generate the keytab
in Windows and register it in DS server.
I haven't seen a case scenario in documentation where PAM Passthru is
implemented with AD. And how the Krb5 is configured.
>>
>> 1.
>>
>>
>> 2. Syncing new users automatically between AD and 389-ds including
>> UNIX attributes in AD(after installing SFU 3.5). Though Windows
>> Sync agreement does it, we are looking on a finer control over
>> the OU¹s and objectclass/attributes imported.
>>
> The IPA winsync plugin will add missing posix attributes when syncing a
> new user entry from AD to IPA. It will not keep them in sync.
Is this same as passsync.msi plugin? We are using Windows server 2008
64-bit. Do we have it compatible? How can I setup IPA for the above
scenario?
>> 1.
>>
>>
>> 2. Password change in unix world reflect on AD,
>>
> Yes. IPA winsync will sync password changes from IPA to AD.
Is this a case where,
>>
>> 1.
>>
>>
>> 2. Netgroups, adding hosts to the Directory server and have a
>> inventory withhostname and IP address and/or perform basic host
>> tasks.
>>
> Winsync will not sync the netgroups schema.
I wanted the unix hosts to be shown in 389-ds. Just like Windows boxes are
joined to AD.
>> 1.
>>
>>
>> 2. Create ACI¹s such that support team has only access to create
>> ldap accounts and update group memberships.
>> 3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0?
>> Any issues anticipated?
>>
>>
>> I am still going through the vast Admin Guide, release notes, user
>> config guide to get these answers and know more. Also let me know if
>> it is worth waiting till 2.0
>>
>> Thanks,
>> Prashanth
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list