[Freeipa-users] FreeIPA v 2.2 in an AD environment

Dmitri Pal dpal at redhat.com
Mon Nov 5 15:48:26 UTC 2012 

On 11/04/2012 02:23 PM, William Muriithi wrote:
> Hi all,
>
> I am in the process of deploying freeIPA 2.2 to authenticate Linux
> systems and have been able to setup everything nicely with separate
> domain.  I mean users are currently using separate password to access
> Linux system and another set of password from AD for desktop stuff. On
> Friday, I came across an article on freeIPA v 3 and noticed one can
> use the same username & password for both Linux and Windows systems.
> I have since felt this would be a better setup and but feel like the
> documentation are not clear on how to achieve the above.
>
> Would anyone be able to clarify this:
>
> - Can I be able to synchronize the current AD user credentials with
> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ?
> - If upgrading is necessary, is there an RPM that can run on RHEL 6.2
> ?  I can only seem to find freeIPA v3 RPM for Fedora 17.  Was hoping
> to use a blessed RPM instead of rolling one which mean be incompatible
> with the distribution RPM once it comes around
>
> Regards,
>
> William

In addition to other comments I want to step back and give a bit of a
bigger picture.
1) Regardless of what approach you choose we recommend using the latest
available version at the moment of deployment.
2) There are two different approached to dealing with AD - sync or
trust. You need to chose what approach you want to use. Down the road
there might be some hybrid solutions but so far they are not supported.

Sync: available starting the beginning of the IPA life. It has some
limitations and we indeed had some issues with the corner cases that
Steve's environment has. They are not common but you have been warned
anyways.

Trust:
a) Trusts are targeting RHEL 6.4
b) There is no upgrade from Sync to Trust solution. If you want trusts
you need to upgrade what you have to 6.4 (or start over) and implement
trusts there and not do Sync.
c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise
the trusts would not work. This also means that if you have other UNIXes
the trusts would not work there.

If you have UNIX clients that need to be accessed by AD users you might
explore some hybrid solutions that might work but we can't say for sure.
For example the sync might actually work in parallel to trusts to some
extent. There is also PAM pass through capability that comes with 6.4 as
a tech preview. That would allow  pass through LDAP auth for the non
SSSD 1.9 clients. But this needs to be tried out and there might be dragons.



>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list