[Freeipa-users] 2012r2 AD and RHEL 7.1 IPA compatibility
Dmitri Pal
dpal at redhat.com
Thu Jan 29 23:29:54 UTC 2015
On 01/29/2015 06:19 PM, Steven Jones wrote:
>
> Where is this at? ie is the above a supported configuration?
>
Supported.
>
> So will passync and winsync work OK?
>
Yes
>
> Will trusts?
>
Yes
>
> Will they work together?
>
Only during migration.
There is a migration strategy.
http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
> So ideally I'd like to use winsync and passsync to provision users
> from AD to IPA. Then in specific low security situations use trusts to
> grant access. So for low security instances eg a user on a windows
> or linux desktop can login with one password.
>
I am not sure I follow.
With trust you have a single user entry in AD and even if a Linux system
is connected to IPA the user logging into it will authenticate against
AD but it will be IPA that will define whether this user can access this
system. It will be defined via HBAC rules.
So whether you use trust or sync the access control is orthogonal and
depends on which system the host is joined to.
I guess you need to take a look at how IPA can define HBAC rules for
users from AD in trust case. You add an AD group as a member of the IPA
group and then apply HBAC policy to that IPA group.
>
> However for high level security I want to have permissions only
> granted/grantable in IPA. So an admin to say the HR database server
> cannot login with a trust from IPA they have to be in a user group
> setup in IPA only.
>
>
>
> regards
>
> Steven
>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150129/1785c209/attachment.htm>
More information about the Freeipa-users
mailing list