[Freeipa-users] Re: 389-ds and AD integration questions
Prashanth Sundaram
psundaram at wgen.net
Wed Sep 23 14:28:40 UTC 2009
Thanks Dimitri,
I was clarified about the setup yesterday. Looks like, I do not need
Kerberos implemented for PAM Pass-through.
Since IPA is to be a domain controller, is it necessary to implement
Kerberos for server and clients? Since, I only need Unix hosts to talk to
the DC?
I mean can I separate the Kerb part from the IPA and just use it for
password change on both sides?
>>>
>>>
>>
> Prashanth,
>
> The setup is a bit confusing.
> IPA v1 that is currently available can serve users and groups to
> UNIX/Linux clients via nss_ldap.
> One can also configure pam_ldap or pam_rkb5 to authenticate against IPA v1.
> IPA v1 does not handle netgroups or hosts. These are the features of v2
> that are coming.
> However the whole point of the IPA is to be a domain controller for
> UNIX/Linux machines and users.
> If you are not planning to use IPA as a domain controller then you
> should look at pure 389 deployment.
> With 389 you can proxy authentications to AD and follow recommendations
> and solutions described on 389 wiki.
> However in this case you can't expect any of the IPA features
> (especially the ones that we are working on now:
> netgroups, automounts, hosts etc.)
>
> Thank you
> Dmitri
>
More information about the Freeipa-users
mailing list