[Freeipa-users] about AD trusts and passthrough authentication
Daniel Shown
shownde at slu.edu
Mon Aug 11 21:03:43 UTC 2014
Right, that's what I've got at this point. I just wanted to make sure I
wasn't missing something. Unfortunately, that architecture won't work for
me (mostly for political reasons instead of technical ones). I guess I'll
be digging into pass through auth to see if I can get that working.
thx.
===================================
*Daniel Shown,*
Linux Systems Administrator
Advanced Technology Group
Information Technology Services <http://www.slu.edu/its>
at Saint Louis University <http://www.slu.edu/>.
314-977-2583
===================================
"The aim of education
is the knowledge,
not of facts,
but of values."
— William S. Burroughs
"I’m supposed to be
a scientific person
but I use intuition
more than logic
in making basic
decisions."
— Seymour R. Cray
On Mon, Aug 11, 2014 at 3:08 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Mon, 11 Aug 2014, Daniel Shown wrote:
>
>> I'm fairly new to FreeIPA, so can someone give me a sanity check? Should I
>> be able to map AD users in an AD trust to to corresponding FreeIPA users?
>> i.e. Users can auth with their AD credentials and get a FreeIPA uidnumber,
>> gidnumber, home, etc.?
>>
> Users from a trusted forest are treated as separate users. They have
> their own identities and get IDs from either Active Directory (if POSIX
> compatibility is enabled at AD) or from special ID range allocated for
> them in IPA.
>
> You can include these users (and groups, it doesn't matter what is what)
> into special type of groups in IPA, called "external" groups. These
> groups, in turn, can be members of existing POSIX groups from IPA. If
> done so, your AD users will become members of appropriate POSIX groups
> from IPA by means of nested membership.
>
> These POSIX groups then can be used to apply SUDO or HBAC rules against
> AD users.
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140811/7afd512b/attachment.htm>
More information about the Freeipa-users
mailing list