[Freeipa-users] freeIPA or just SSSD?
Jakub Hrozek
jhrozek at redhat.com
Mon Sep 14 19:41:33 UTC 2015
On Mon, Sep 14, 2015 at 12:38:00PM -0400, Mark Heslin wrote:
> Hi Tyler,
>
> Some comments below...I'm sure others will chime in :-)
>
> On 09/14/2015 10:33 AM, Milam, Tyler S wrote:
> >
> >My organization is evaluating new methods of user account provisioning in
> >Linux. What advantages does freeIPA offer over just SSSD?
> >
>
> Just to be clear, SS
> SD is the client that can work directly to an existing AD domain, or
> indirectly to an AD domain via IdM/FreeIPA and a cross-realm Kerberos trust.
> When you configure an IdM/FreeIPA client, SSSD is configured (via
> ipa-client-install or realmd). In short:
>
> SSSD -> AD (Direct AD Integration)
> SSSD -> IdM/FreeIPA (standard configuration)
> SSSD -> IdM/FreeIPA <--- cross-realm Kerberos trust ---> AD (Indirect
> AD integration)
>
> In general, Direct AD integration is recommended for small environments with
> few Linux clients.
> For larger numbers of clients, indirect AD integration is preferred as it
> will give you more control, granularity
> to manage users, hosts, services, certs, keytabs, etc.
>
> There are some details that come into play - particularly around which
> versions of RHEL (or non-RHEL) you're clients are on.
> Attached is a tech brief we put out for Summit that can help.
Also, there were some blog posts Dmitri wrote up not too long ago that
compare direct and indirect integration:
http://rhelblog.redhat.com/2015/05/27/direct-or-indirect-that-is-the-question/
More information about the Freeipa-users
mailing list