[Freeipa-users] Chained IPA Servers
Dmitri Pal
dpal at redhat.com
Tue Mar 24 10:42:12 UTC 2015
On 03/24/2015 03:25 AM, Jakub Hrozek wrote:
> On Mon, Mar 23, 2015 at 08:23:00PM -0400, Dmitri Pal wrote:
>> On 03/23/2015 05:13 PM, Matt Wells wrote:
>>> We have two authentication domains; both on 4.X.
>>>
>>> Domain 1 - Internal and contains our employee accounts
>>> Domain 2 - External accounts that reside outside of our company.
>>> These accounts are utilized to gain access to some of our web
>>> resources.
>>>
>>> Is their a method to point our older app at "domain 2" IPA servers and
>>> forward on to internal if not found?
>>> As always, thanks to all who monitor and read this list. One of the best.
>>>
>> Can you please be a bit more specific.
>>
>> You have an app that is currently pointing to external servers.
>> How does it point to them? Using LDAP or some other way?
>> What kind of app it is?
>> Can you modify it or it is a stock software?
>>
>> Forward to the internal "if not found" what? User?
>> So you want for app to be able to access users from both domains
>> effectively, right?
> That's the way I read the original question, too and if it's the case,
> then it's pretty much how SSSD's domains behave.
>
> so if you had in sssd.conf:
> domains = dom1, dom2
> Then a query for a username would first look into dom2. If the user was
> found, it would be returned to the NSS stack and dom2 wouldn't be
> queried at all. If there are conflicting names, however and you want to
> go straight to dom2, you need to qualify the names:
> getent passwd user at dom2
>
Right, the question is can the application take advantage of the SSSD
integration?
I mean this is the perfect case for the external authentication approach
we promote.
http://www.freeipa.org/page/Web_App_Authentication
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list