[Freeipa-users] AD sync via polling?

Janne Blomqvist janne.blomqvist at aalto.fi
Wed Feb 25 12:44:22 UTC 2015 

Hi,

is it possible to use winsync to sync stuff from AD without having to 
create domain trusts, or install some kind of sync services on the AD DC's?

For some background, we want to fetch user/group info and authenticate 
against AD (managed by another department), but we also have a need to 
have some own users/groups on top of the AD ones. So the initial plan 
would be something like

A1. We join a machine to the AD domain, so we can fetch information from 
AD via getent or ldapsearch.

A2. Scripts are written to fetch data from AD on the machine in (1) 
above, merge and push this user/group data into freeIPA. These scripts 
run periodically via cron.

Clients are configured roughly per the following:

B1. sssd on clients is configured to fetch user/group data from freeIPA.

B2. pam_krb5 in client machines is configured to authenticate against AD.

B3. pam_ldap (or pam_sss, if its use of kerberos doesn't conflict with 
the configuration for connecting to AD used by pam_krb5?) in client 
machines is configured to authenticate against freeIPA, for those users 
who don't have accounts in AD.

Yes, I can see this being a lot simpler if we could get a cross domain 
trust going on between AD and our freeIPA servers or even just the 
winsync services running on the DC's, but organizational politics being 
what they are, this isn't happening. :(

So my questions are

- Can the freeIPA winsync tool bend to providing A2 above, or do we have 
to do it ourselves?

- As this setups is weird and non-standard, will using freeIPA actually 
help us here, or would life be easier by just using 389 or openldap 
directly? In essence, our main usage of freeIPA would be to provide 
management tools for those users/groups which are not synced from AD.

- With the constraints above that we have to live with, is there a 
better way to accomplish this?

- Does the thing in B3 work? I.e. can I have pam_krb5 with config in 
/etc/krb5.conf for connecting to AD, then pam_sss with sssd.conf using 
the ipa or krb5 auth provider pointing to our freeIPA server(s).


Thanks,
-- 
Janne Blomqvist

More information about the Freeipa-users mailing list