[Freeipa-users] cross domain trust between two IPA servers

[Simo Sorce]

On Tue, 2012-08-07 at 14:54 +0100, Johnathan Phan wrote:
> Hi everyone,
> 
> Is it possible to create a cross domain trust between two IPA servers?
> I would have thought FreeIPA would have dealt with this use case first
> rather than jump directly into integrating with AD.

Not yet, the reason we dealt with AD first is that there was more
request for that use case.


> The reason for this is because your more likely to have satellite
> sites of Redhat servers you want to manage.
> 
> Example of this is shown below.
> 
> You require user details to be separated for two separate
> organizations that merge together. In the interim period or
> permanently you may want members data to be stored in the two separate
> Realms for either legal reasons or for company structure reasons
> (Management). As you do this quiet freqently with Microsoft AD
> environments when corporations merge or buy one another out. Or a
> parent company buys a smaller company but want to hook the two systems
> together with out merging them completely to keep the companies
> identity and major operations separate.
> 
> Is there anyway to do this with two IPA servers?

We are planning to add FreeIPA<->FreeIPA trusts in due course, and a
kerberos level trust between 2 IPA servers can be done with some manual
work, but there are some details when it comes to providing identity to
the other domain that are missing. (Although SSSD can be configured
easily enough to use 2 separate FreeIPA domains if really needed).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York