[Freeipa-users] Re: 389-ds and AD integration questions

Rich Megginson rmeggins at redhat.com
Mon Sep 21 22:29:28 UTC 2009 

Prashanth Sundaram wrote:
>
> On 9/21/09 12:56 PM, "Rich Megginson" <rmeggins at redhat.com> wrote:
>
>   
>>> Dear FreeIPA community,
>>>
>>> I have a bunch of requirements that I am looking forward from
>>> ipa-server. Please clarify if these are possible
>>>
>>> Background: We are planning to deploy 389-ds(formerly Fedora DS) as
>>> our core ldap server in a Multi-Master Replication scenario. We will
>>> be having set of slave server to cater at different locations. We want
>>> to integrate password authentication with MS Active Directory. 389-DS
>>> offers PAM Pass-thru plugin, but it has been quite difficult to
>>> configure the parameters and kerberos to get that working. Some of the
>>> features I am looking are
>>>
>>>    1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active
>>>       Directory for password.
>>>
>>>       
>> If you have PAM Kerberos auth working, you should be able to use PAM
>> Pass thru. I don't know the details though, but I do know that this is
>> one of the primary use cases, to allow simple bind (username/password
>> auth) clients to use their kerberos password.
>>     
>
> Isn't IPA creating its own Kerberos/kdc server? For my setup, AD is the
> kerberos server and I want 389-ds to query the AD for password. I do not
> want to configure kerberos on 389-ds or do I have to do that anyway?.
>   
You do not have to configure kerberos on 389-ds to use pam passthrough.
> So If I am right, for 389-ds and AD to communicate and exchange data they
> both need to be Kerb servers?
No.
> If that is then do client unix machines need
> to be configured with krb5.conf?
>   
I believe you use something like pam_krb5 with 389 pam passthrough, 
which also requires krb5.conf
> I am following the HowToKerberos from 389-ds, where you generate the keytab
> in Windows and register it in DS server.
>   
But you're not using kerberos auth to 389-ds, you are using simple auth, 
and pam passthrough "passes through" the credentials to kerberos via pam 
and pam_krb5
> I haven't seen a case scenario in documentation where PAM Passthru is
> implemented with AD. And how the Krb5 is configured.
>
>
>   
>>>   1.
>>>
>>>
>>>    2. Syncing new users automatically between AD and 389-ds including
>>>       UNIX attributes in AD(after installing SFU 3.5). Though Windows
>>>       Sync agreement does it, we are looking on a finer control over
>>>       the OU¹s and objectclass/attributes imported.
>>>
>>>       
>> The IPA winsync plugin will add missing posix attributes when syncing a
>> new user entry from AD to IPA. It will not keep them in sync.
>>     
>  
> Is this same as passsync.msi plugin?
No.
> We are using Windows server 2008
> 64-bit. Do we have it compatible?
It doesn't matter - if you don't want to sync passwords from AD to IPA, 
you do not use PassSync.msi
> How can I setup IPA for the above
> scenario?
>   
I think IPA enables the ipa-winsync plugin by default.
>
>   
>>>   1.
>>>
>>>
>>>    2. Password change in unix world reflect on AD,
>>>
>>>       
>> Yes. IPA winsync will sync password changes from IPA to AD.
>>     
> Is this a case where,
>
>   
>>>   1.
>>>
>>>
>>>    2. Netgroups, adding hosts to the Directory server and have a
>>>       inventory withhostname and IP address and/or perform basic host
>>>       tasks.
>>>
>>>       
>> Winsync will not sync the netgroups schema.
>>     
>
> I wanted the unix hosts to be shown in 389-ds. Just like Windows boxes are
> joined to AD. 
>   
Ok.  IPA should handle that.
>
>   
>>>   1.
>>>
>>>
>>>    2. Create ACI¹s such that support team has only access to create
>>>       ldap accounts and update group memberships.
>>>    3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0?
>>>       Any issues anticipated?
>>>
>>>
>>> I am still going through the vast Admin Guide, release notes, user
>>> config guide to get these answers and know more. Also let me know if
>>> it is worth waiting till 2.0
>>>
>>> Thanks,
>>> Prashanth
>>>       
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>     
>
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090921/b9272dbb/attachment.bin>

More information about the Freeipa-users mailing list