[Freeipa-users] Re: 389-ds and AD integration questions

Dmitri Pal dpal at redhat.com
Tue Sep 22 10:43:48 UTC 2009 

Rich Megginson wrote:
> Prashanth Sundaram wrote:
>>
>> On 9/21/09 12:56 PM, "Rich Megginson" <rmeggins at redhat.com> wrote:
>>
>>  
>>>> Dear FreeIPA community,
>>>>
>>>> I have a bunch of requirements that I am looking forward from
>>>> ipa-server. Please clarify if these are possible
>>>>
>>>> Background: We are planning to deploy 389-ds(formerly Fedora DS) as
>>>> our core ldap server in a Multi-Master Replication scenario. We will
>>>> be having set of slave server to cater at different locations. We want
>>>> to integrate password authentication with MS Active Directory. 389-DS
>>>> offers PAM Pass-thru plugin, but it has been quite difficult to
>>>> configure the parameters and kerberos to get that working. Some of the
>>>> features I am looking are
>>>>
>>>>    1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active
>>>>       Directory for password.
>>>>
>>>>       
>>> If you have PAM Kerberos auth working, you should be able to use PAM
>>> Pass thru. I don't know the details though, but I do know that this is
>>> one of the primary use cases, to allow simple bind (username/password
>>> auth) clients to use their kerberos password.
>>>     
>>
>> Isn't IPA creating its own Kerberos/kdc server? For my setup, AD is the
>> kerberos server and I want 389-ds to query the AD for password. I do not
>> want to configure kerberos on 389-ds or do I have to do that anyway?.
>>   
> You do not have to configure kerberos on 389-ds to use pam passthrough.
>> So If I am right, for 389-ds and AD to communicate and exchange data
>> they
>> both need to be Kerb servers?
> No.
>> If that is then do client unix machines need
>> to be configured with krb5.conf?
>>   
> I believe you use something like pam_krb5 with 389 pam passthrough,
> which also requires krb5.conf
>> I am following the HowToKerberos from 389-ds, where you generate the
>> keytab
>> in Windows and register it in DS server.
>>   
> But you're not using kerberos auth to 389-ds, you are using simple
> auth, and pam passthrough "passes through" the credentials to kerberos
> via pam and pam_krb5
>> I haven't seen a case scenario in documentation where PAM Passthru is
>> implemented with AD. And how the Krb5 is configured.
>>
>>
>>  
>>>>   1.
>>>>
>>>>
>>>>    2. Syncing new users automatically between AD and 389-ds including
>>>>       UNIX attributes in AD(after installing SFU 3.5). Though Windows
>>>>       Sync agreement does it, we are looking on a finer control over
>>>>       the OU¹s and objectclass/attributes imported.
>>>>
>>>>       
>>> The IPA winsync plugin will add missing posix attributes when syncing a
>>> new user entry from AD to IPA. It will not keep them in sync.
>>>     
>>  
>> Is this same as passsync.msi plugin?
> No.
>> We are using Windows server 2008
>> 64-bit. Do we have it compatible?
> It doesn't matter - if you don't want to sync passwords from AD to
> IPA, you do not use PassSync.msi
>> How can I setup IPA for the above
>> scenario?
>>   
> I think IPA enables the ipa-winsync plugin by default.
>>
>>  
>>>>   1.
>>>>
>>>>
>>>>    2. Password change in unix world reflect on AD,
>>>>
>>>>       
>>> Yes. IPA winsync will sync password changes from IPA to AD.
>>>     
>> Is this a case where,
>>
>>  
>>>>   1.
>>>>
>>>>
>>>>    2. Netgroups, adding hosts to the Directory server and have a
>>>>       inventory withhostname and IP address and/or perform basic host
>>>>       tasks.
>>>>
>>>>       
>>> Winsync will not sync the netgroups schema.
>>>     
>>
>> I wanted the unix hosts to be shown in 389-ds. Just like Windows
>> boxes are
>> joined to AD.   
> Ok.  IPA should handle that.
>>
>>  
>>>>   1.
>>>>
>>>>
>>>>    2. Create ACI¹s such that support team has only access to create
>>>>       ldap accounts and update group memberships.
>>>>    3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0?
>>>>       Any issues anticipated?
>>>>
>>>>
>>>> I am still going through the vast Admin Guide, release notes, user
>>>> config guide to get these answers and know more. Also let me know if
>>>> it is worth waiting till 2.0
>>>>
>>>> Thanks,
>>>> Prashanth
>>>>       
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>     
>>
>>   
>
Prashanth,

The setup is a bit confusing.
IPA v1 that is currently available can serve users and groups to
UNIX/Linux clients via nss_ldap.
One can also configure pam_ldap or pam_rkb5 to authenticate against IPA v1.
IPA v1 does not handle netgroups or hosts. These are the features of v2
that are coming.
However the whole point of the IPA is to be a domain controller for
UNIX/Linux machines and users.
If you are not planning to use IPA as a domain controller then you
should look at pure 389 deployment.
With 389 you can proxy authentications to AD and follow recommendations
and solutions described on 389 wiki.
However in this case you can't expect any of the IPA features
(especially the ones that we are working on now:
netgroups, automounts, hosts etc.)

Thank you
Dmitri

More information about the Freeipa-users mailing list