[Freeipa-users] One way trusts
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Tue Jan 14 01:05:04 UTC 2014
Hi Dimitri,
>Just to be sure I understand.
>You have internal users - they are in AD. You have external users - they are in LDAP.
>You merge two directories and you want to replace this setup with IPA.
Yes.
>It seems that to support your use case you would need to make the external users be IPA users and make AD and IPA trust each other.
I think I concur about migrating my external users into IPA and making IPA trust AD. I may be ignorant of some AD nuance, but I do not see why AD needs to trust IPA. AD does not need to trust my LDAP clients currently.
>Also if external users do not authenticate using Kerberos (for example they always use a special portal) then it does not matter what trust is between AD and IPA because those users will not have kerberos tickets that are leveraged in SSO in trust case.
I want to be able to point either an LDAP or a Kerberos client at IPA, and have it authenticate my "enterprise" and "external" users for me. I'm not going to tangle with SSO at the moment. Right now, we're just establishing an identity store.
>IPA can trust AD. Formally it is a mutual trust but in reality IPA does not have global catalog support for users in IPA to be able to access the resources in AD.
In many of the tutorials/HOWTOs, I see that there is a requirement to provide credentials having the permission to add a computer to the domain, or being a member of an AD administration group. I'm a lowly standard "User" in the AD. I don't know if that means I can add a computer to the domain or not. I know I lack the ability to edit AD entries that aren't mine, so I really need a solution that does not require creating a trust relationship inside AD.
Is there a way for me to comment out the AD->IPA trust creation, or would that break the IPA->AD trust?
Thanks much,
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
More information about the Freeipa-users
mailing list