[Freeipa-users] using AD token to get freeipa token
Stijn De Weirdt
stijn.deweirdt at ugent.be
Wed Jul 9 16:38:00 UTC 2014
hi all,
we are investigating the possibility to use an existing and valid AD
token to obtain a token from a realm under FreeIPA (3.3.3 from el7),
without having to setup the full IPA AD cross realm trust. (in
particular, to avoid that AD has to trust the IPA setup; and with the
goal that we can minimise any required actions on the AD setup).
what we would like to achieve is the following:
kinit user at AD
--- authenticate via AD password
kinit otherusername at IPA
-- no password required, authentication based on valid AD token
so one can then eg "ssh otherusername at machine.under.ipa.control"
the user at AD to otherusername at IPA mapping is provided somewhere on the
IPA server and is static.
as far as i understood, this is (very?) different from actual trust
relation where having the user at AD token is sufficient to do "ssh
otherusername at machine.under.ipa.control".
any hints are welcome!
stijn
More information about the Freeipa-users
mailing list