[Freeipa-users] Password pass-through to an existing LDAP server?
Dmitri Pal
dpal at redhat.com
Wed Jun 13 22:09:20 UTC 2012
On 06/13/2012 04:45 PM, Jason Riedy wrote:
> I'm setting up an experimental subnet that needs a combination of
> local and remote users. The local users already have passwords
> available. I'd like to rely on those passwords without requiring
> them to manage it themselves.
>
> Is it possible to pass-through passwords to an external LDAP
> back-end? I was hoping to find this in the docs somewhere, but I
> can't find anything quite like OpenLDAP's {SASL}foo at example.com.
> I'd like to keep Kerberos integration for other reasons,
> otherwise I'd just use OpenLDAP and not worry.
That will work with SSSD if your local users are in passwd file and
remote users are in the SSSD domain.
It is the default SSSD configuration though it is assumed that only
system accounts are in files. But local users should work OK. It is just
not the best configuration we would hope for.
Can you explain what is the reason of having local accounts other than
system ones?
SSSD can do caching of the central accounts and offline authentication
so if the reason is the offline case than SSSD already handles it nicely
allowing you to move all your human accounts into the central location
leaving the passwd file for root and system accounts only.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list