[Freeipa-users] FreeIPA in a locked down Active Directory environment
Rich Megginson
rmeggins at redhat.com
Mon Jun 18 15:13:52 UTC 2012
On 06/18/2012 08:49 AM, Brian Wheeler wrote:
> Hello
>
> I'm a sysadmin at a smallish department at my university. We're
> investigating FreeIPA to replace our homegrown openldap/perl script
> user management stuff. The difficulty we're facing is that university
> has standardized on Active Directory and they've got it pretty well
> locked down. We currently use the university's kerberos for
> authentication and our openldap instance to store user/group data.
> When we create a new user a perl script copies the relevant data from
> AD via an authenticated ldap bind since they do not support anonymous
> binds. For groups we just maintain the ones within our ldap
> environment (AD groups are never copied). For hosts we have a private
> network that we use nss_ldap to look up hosts and then fall back to
> the university's DNS.
>
> All of the documentation that I've been able to find on FreeIPA seem
> to assume that the people setting up FreeIPA have full access to AD
> and can modify the structure/security settings.
Not exactly. What documentation are you talking about?
For IPA Windows Sync, IPA needs to be able to use the DirSync control
provided by AD.
http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx
IPA needs the Bind DN and password of an AD user with the rights
specified in that document.
For IPA to get passwords sync'd from AD, you need to install the
PassSync.msi on all of your domain controllers.
> This is not the case for us since a different group handles it and due
> to the vastness of the university they are reluctant to make any changes.
>
> Is there any way to integrate FreeIPA into an environment such as ours
> or am I going to have to continue with my homegrown way of doing things?
>
> Thanks!
>
> Brian Wheeler
> System Administrator
> Digital Library Program
> Indiana University
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list