[Freeipa-users] question about Active Directory authentication

Dmitri Pal dpal at redhat.com
Tue Feb 17 21:18:58 UTC 2015 

On 02/17/2015 04:05 PM, David Fitzgerald wrote:
>
> Hello,
>
> I am currently running an IPA 3.3 server on Centos 7.  I have 70 IPA 
> client machines running Scientific Linux 6.6 and 150 users.  User 
> directories are auto-mounted from a Centos 7 file server.
>
> I have been informed that all computer users on our campus must now 
> authenticate off of the University's Active Directory server, 
> including all Linux machines.  I have been looking through the IPA 
> documentation and am getting myself confused and not completely 
> understanding what needs to be done, thus I have some questions.
>
> 1.The docs talk about setting up a trust between the IPA server and 
> the AD server.  Will I need to change all of the IPA clients as well 
> as the IPA server, or do I only need change the server and not have to 
> touch the clients?
>

With IPA on Centos 7 you can establish trust and you 6.6 machines should 
be capable of picking the trust automatically.
>
> 2.Do I even need to set up a full trust relationship just to 
> authenticate my users with AD?
>

You have three options:
- Establish trust
- Sync users from AD to IPA
- Drop IPA and go direct AD (but you loose a lot).

We recommend the trust approach and yet it is a full trust but that does 
not mean that it is wild west. The trust just means that users can cross 
authenticate. But if there is no permissions set (which is the case by 
default) the users even if they are authenticated can't do anything. So 
if your AD guys a re worried that the trust would open the can of worms 
it would not.

> 3.Since I already have 150 users, will I have to delete their IPA 
> accounts before setting up the trust?  W
>

Are these users the same as AD users?
If they are you can move to IPA 4.1 and convert them to ID Views to 
assign posix data to the AD users and then remove.
https://copr.fedoraproject.org/coprs/mkosek/freeipa/
>
> Sorry if my questions are a bit basic, but I need some guidance to get 
> me started.
>
> Thanks!
>
> Dave
>
> ++++++++++++++++++++++++++++++
>
> David Fitzgerald
>
> Department of Earth Sciences
>
> Millersville University
>
> Millersville, PA 17551
>
> Phone:  717-871-2394
>
> E-Mail:  david.fitzgerald at millersville.edu
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150217/033cda3f/attachment.htm>

More information about the Freeipa-users mailing list