[Freeipa-users] AD sync via polling?
Janne Blomqvist
janne.blomqvist at aalto.fi
Wed Feb 25 12:44:22 UTC 2015
Hi,
is it possible to use winsync to sync stuff from AD without having to
create domain trusts, or install some kind of sync services on the AD DC's?
For some background, we want to fetch user/group info and authenticate
against AD (managed by another department), but we also have a need to
have some own users/groups on top of the AD ones. So the initial plan
would be something like
A1. We join a machine to the AD domain, so we can fetch information from
AD via getent or ldapsearch.
A2. Scripts are written to fetch data from AD on the machine in (1)
above, merge and push this user/group data into freeIPA. These scripts
run periodically via cron.
Clients are configured roughly per the following:
B1. sssd on clients is configured to fetch user/group data from freeIPA.
B2. pam_krb5 in client machines is configured to authenticate against AD.
B3. pam_ldap (or pam_sss, if its use of kerberos doesn't conflict with
the configuration for connecting to AD used by pam_krb5?) in client
machines is configured to authenticate against freeIPA, for those users
who don't have accounts in AD.
Yes, I can see this being a lot simpler if we could get a cross domain
trust going on between AD and our freeIPA servers or even just the
winsync services running on the DC's, but organizational politics being
what they are, this isn't happening. :(
So my questions are
- Can the freeIPA winsync tool bend to providing A2 above, or do we have
to do it ourselves?
- As this setups is weird and non-standard, will using freeIPA actually
help us here, or would life be easier by just using 389 or openldap
directly? In essence, our main usage of freeIPA would be to provide
management tools for those users/groups which are not synced from AD.
- With the constraints above that we have to live with, is there a
better way to accomplish this?
- Does the thing in B3 work? I.e. can I have pam_krb5 with config in
/etc/krb5.conf for connecting to AD, then pam_sss with sssd.conf using
the ipa or krb5 auth provider pointing to our freeIPA server(s).
Thanks,
--
Janne Blomqvist
More information about the Freeipa-users
mailing list