[Freeipa-users] question on Active Directory and FreeIPA

Simo Sorce simo at redhat.com
Fri Jun 19 19:30:38 UTC 2015 

On Fri, 2015-06-19 at 21:15 +0200, Jakub Hrozek wrote:
> On Fri, Jun 19, 2015 at 06:23:46PM +0000, David Fitzgerald wrote:
> > Hello,
> > 
> > Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do.
> > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using
> > it to manage about 200 users and 90 Scientific Linux workstations, and
> > everything works great.  Unfortunately I have been told that I must now
> > use the University's Active Directory to authenticate all of my users.
> > I have read the documentation on FreeIPA / AD integration and am not sure if
> > that will meet my requirements.  All my Linux users' home directories are
> > auto mounted on login from a CentOS 7 NFS server with their bash profiles
> > etc. run off that mount.    From what I have read it seems to me that
> > FreeIPA / AD integration is more focused on getting Windows users to be
> > able to log into a Linux machine with access to their Windows folders and
> > profiles (oddjob creating a local home directory on the Linux box, etc.)
> > I don't want this.  All I need is to simply authenticate the user using AD
> > (BTW their IPA usernames and AD usernames are the same other than the
> > domain) then use the info from FreeIPA as I do now. I don't need any
> > folders mounted from the Windows  servers.
> > Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD?  Is there an easy way to do this? I am not a Windows AD expert by any means.
> 
> I'm not sure I completely answer your question, but..in case of IPA-AD
> trust, the AD users always authenticate against AD, even in case of
> password authentication on an IPA box. The passwords are not
> synchronized in any way.
> 
> So I guess having the user accounts in AD, but keeping the automount
> info, sudo rules etc would satisfy your requirements?
> 
> With the recent 'views' feature, you can set POSIX attributes for IPA
> users without touching the AD LDAP schema, even per-host.

Just for clarity:
 note that use of these features will require an upgrade of your server
to the latest Centos 7.2 (when it will be released).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list