[Freeipa-users] How IPA handles AD computer groups

Rashard.Kelly at sita.aero Rashard.Kelly at sita.aero
Fri May 31 12:39:15 UTC 2013 

I am working on a team to plan a migration to IPA on our UNIX based 
systems. One thing I was seeking information on is Computer groups. If a 
trust is established with our campus AD infrasturcture, will its computer 
groups be shared with IPA or just users?

If computer groups are transferred to host groups this will make managing 
permissions easier without having to recreate all the groups on the IPA 
side

I could not find any info in this document 
http://www.freeipa.org/page/IPAv3_testing_AD_trust. If someone could point 
me to some documentation about the subject it would be really helpful.


Thank You,
Rashard Kelly
Senior Linux Specialist




From:   Martin Kosek <mkosek at redhat.com>
To:     Sumit Bose <sbose at redhat.com>
Cc:     freeipa-users at redhat.com
Date:   05/31/2013 06:41 AM
Subject:        Re: [Freeipa-users] IPA & AD trust question
Sent by:        freeipa-users-bounces at redhat.com



On 05/31/2013 09:37 AM, Sumit Bose wrote:
> On Fri, May 31, 2013 at 06:52:27AM +0000, Ondrej Valousek wrote:
>> Hi List,
>>
>> I have a question - is it possible to use AD trust the way that:
>> 1. All users are stored in AD
>> 2. All Unix specific information (automount maps, sudo rules, HBAC 
rules) are stored in IPA?
> 
> Yes, sudo and HBAC for sure, I haven't tested automount maps but so far
> I can see no issues.
> 
>>
>> If yes then:
>> 1. Will this scenario honour the RFC2307 user attributes in AD?
> 
> We are trying to support RFC2307 attributes in AD with the next releases
> for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the
> AD user's RID is available.

Ondreji, this is by the way the upstream ticket under which this feature 
is
being implemented (in case you want to follow it):

https://fedorahosted.org/freeipa/ticket/2904

There are other tickets targeted on AD cooperation in FreeIPA 3.3 release
(https://fedorahosted.org/freeipa/report/3), you may also want to check 
that
they address your needs (and provide comments if they don't). We are still 
in a
design phase, so some amendments are possible.

Thanks,
Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




This document is strictly confidential and intended only for use by the addressee unless otherwise stated.  If you are not the intended recipient, please notify the sender immediately and delete it from your system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130531/aea8fb10/attachment.htm>

More information about the Freeipa-users mailing list