[Freeipa-users] AD sync via polling?

Rich Megginson rmeggins at redhat.com
Wed Feb 25 14:21:16 UTC 2015 

On 02/25/2015 06:48 AM, Dmitri Pal wrote:
> On 02/25/2015 07:44 AM, Janne Blomqvist wrote:
>> Hi,
>>
>> is it possible to use winsync to sync stuff from AD without having to 
>> create domain trusts, or install some kind of sync services on the AD 
>> DC's?
>>
>> For some background, we want to fetch user/group info and 
>> authenticate against AD (managed by another department), but we also 
>> have a need to have some own users/groups on top of the AD ones. So 
>> the initial plan would be something like
>>
>> A1. We join a machine to the AD domain, so we can fetch information 
>> from AD via getent or ldapsearch.
>>
>> A2. Scripts are written to fetch data from AD on the machine in (1) 
>> above, merge and push this user/group data into freeIPA. These 
>> scripts run periodically via cron.
>>
>> Clients are configured roughly per the following:
>>
>> B1. sssd on clients is configured to fetch user/group data from freeIPA.
>>
>> B2. pam_krb5 in client machines is configured to authenticate against 
>> AD.
>>
>> B3. pam_ldap (or pam_sss, if its use of kerberos doesn't conflict 
>> with the configuration for connecting to AD used by pam_krb5?) in 
>> client machines is configured to authenticate against freeIPA, for 
>> those users who don't have accounts in AD.
>>
>> Yes, I can see this being a lot simpler if we could get a cross 
>> domain trust going on between AD and our freeIPA servers or even just 
>> the winsync services running on the DC's, but organizational politics 
>> being what they are, this isn't happening. :(
>>
>> So my questions are
>>
>> - Can the freeIPA winsync tool bend to providing A2 above, or do we 
>> have to do it ourselves?
>>
>> - As this setups is weird and non-standard, will using freeIPA 
>> actually help us here, or would life be easier by just using 389 or 
>> openldap directly? In essence, our main usage of freeIPA would be to 
>> provide management tools for those users/groups which are not synced 
>> from AD.
>>
>> - With the constraints above that we have to live with, is there a 
>> better way to accomplish this?
>>
>> - Does the thing in B3 work? I.e. can I have pam_krb5 with config in 
>> /etc/krb5.conf for connecting to AD, then pam_sss with sssd.conf 
>> using the ipa or krb5 auth provider pointing to our freeIPA server(s).
>>
>>
>> Thanks,
> You can use SSSD and define two domains one for AD and one for IPA. 
> You join machine to IPA to at least take advantage of what it provides 
> for objects you manage but use AD as a second domain in SSSD 
> configuration.
> You do not need to sync anything or use pam_krb5/pam_ldap. So no scripts.
> You can also decide to join the machine into AD instead but I do not 
> see any benefits from doing it.
> The only price in this setup is that one of the domains (the second 
> one) would have to use fully qualified user names to log into the system.

+1

If however you still want to do something with scripts and the Windows 
AD DirSync control with polling, see 
https://github.com/richm/scripts/blob/master/dirsyncctrl.py

>
> HTH
>
>

More information about the Freeipa-users mailing list