[Freeipa-users] using AD token to get freeipa token

[Simo Sorce]

On Fri, 2014-07-11 at 16:24 +0200, Stijn De Weirdt wrote:
> hi simon,
> 
> ok, that's pity. the problem we are trying to solve is teh following: we 
> are going to setup a new krb5 realm with IPA and we would like to 
> explore methods to have our users authenticate against this realm (well, 
> the kinit otherusername at IPA part) using methods that existing/available 
> for our users. i.e. we would really really like to avoid that our users 
> have to create yet another password.
> 
> the users currently are in AD, so we tought we could use the AD tokens 
> to authenticate, avoiding passwords.

You can do this by establishing a trust between AD and IPA.

> maybe i should rephrase my original question a bit:
> what authentication schemes does kinit support (is there anything 
> besides using a password), and if passwords are unavoidable, is it 
> possible to use something like OTP with kinit and IPA (the user somehow 
> gets the OTP, and can use that for kinit with an IPA controlled realm)?
> (maybe it is possible that the password verification step from IPA is 
> handed over to AD somehow?).

In FreeIPA 4.0 we introduced support for 2FA and TOTP, it still requires
a password, the OTP is only the second factor.


Another option is to sync users and passwords from AD to IPA, we do not
recommend this but it is possible.

Finally there is a very hackish client configuration some people used
where authentication happens against AD but everything else is going
through IPA. I do not feel like recommending this.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York