[Freeipa-users] Updated doc, synchronization question

Orion Poplawski orion at cora.nwra.com
Thu Jan 9 22:53:11 UTC 2014 

On 01/09/2014 06:07 AM, Martin Kosek wrote:
> On 01/08/2014 07:16 PM, Orion Poplawski wrote:
>> Two questions:
>>
>> - Any ETA on an updated 3.3.3 Users Guide?
> 
> Our current plan is to release next documentation release along with FreeIPA
> 3.4, when more documentation fixes are factored in.
> 
> Just in case you would like to check the most recent status of the
> documentation work (or even help us with it), this page describes the details
> 
> http://www.freeipa.org/page/Contribute/Documentation
> 
> including instructions how to build HTMLs out of our git tree.
> 

Thanks, I'll take a look.

>> - Is AD/IPA synchronization still supported in 3.3.3?  Will it always?
> 
> The AD/IPA synchronization is supported only in terms in bug fixes. As for the
> enhancements, the FreeIPA core team is focusing on the AD trusts:
> 
> http://www.freeipa.org/page/Trusts
> 
> (That does not mean we are not open to contributions from the community)
> 
> Martin
> 

Thanks for the that link - the video was helpful.  Although I'm afraid that is
making me lean towards implementing the not recommended "split brain"
approach.  Although one thing that is not clear to me is weather doing this
consumes CALs for the linux machines since they authenticate against AD.

Currently we have two main office locations (DNS cora.nwra.com and nwra.com)
plus some remote users and a 389-ds LDAP server for the Linux boxes and an AD
domain (NWRA.LOCAL).  We are using the LDAP/AD password/user sync module to
sync users and passwords.  Essentially, all of our Linux users are Windows
users and vice versa, and we have well established UIDs on both sides.

We would like to move to using Kerberos on the Linux machines and to be able
to have as much SSO capability as possible.  Am I correct in assuming that
this either requires a single KDC or trusts between KDCs?  While trusts are
being promoted as the way to go for this, I'm afraid it will require a lot of
tweaking to our current setup.  Or perhaps not.  We currently maintain DNS
outside of both AD and would do the same IPA.  We're happy to apply custom
configurations via puppet, etc.


-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the Freeipa-users mailing list