[Freeipa-users] Chained IPA Servers
Jakub Hrozek
jhrozek at redhat.com
Tue Mar 24 07:25:32 UTC 2015
On Mon, Mar 23, 2015 at 08:23:00PM -0400, Dmitri Pal wrote:
> On 03/23/2015 05:13 PM, Matt Wells wrote:
> >We have two authentication domains; both on 4.X.
> >
> >Domain 1 - Internal and contains our employee accounts
> >Domain 2 - External accounts that reside outside of our company.
> >These accounts are utilized to gain access to some of our web
> >resources.
> >
> >Is their a method to point our older app at "domain 2" IPA servers and
> >forward on to internal if not found?
> >As always, thanks to all who monitor and read this list. One of the best.
> >
> Can you please be a bit more specific.
>
> You have an app that is currently pointing to external servers.
> How does it point to them? Using LDAP or some other way?
> What kind of app it is?
> Can you modify it or it is a stock software?
>
> Forward to the internal "if not found" what? User?
> So you want for app to be able to access users from both domains
> effectively, right?
That's the way I read the original question, too and if it's the case,
then it's pretty much how SSSD's domains behave.
so if you had in sssd.conf:
domains = dom1, dom2
Then a query for a username would first look into dom2. If the user was
found, it would be returned to the NSS stack and dom2 wouldn't be
queried at all. If there are conflicting names, however and you want to
go straight to dom2, you need to qualify the names:
getent passwd user at dom2
More information about the Freeipa-users
mailing list