[Freeipa-users] AD Sync and groups
malo
malo at avast.com
Wed Jul 27 12:41:39 UTC 2016
Hi,
Thank your for your reply, it really is much clearer to me now.
I think I get why SSSD offline authentication would help to solve "AD
unreachable" issue.
If I understood well, the SSSD on the IPA master would cache
credentials, allowing the user to log in (as in the kinit meaning) even
if the AD is unreachable ?
At last, I did not quite understand how the KDC proxy would help to
prevent network related issues.
To me it is just a way to allow users with restrictive firewall rules to
authenticate and requests ticket, if I understood well (from this doc
https://www.freeipa.org/page/V4/KDC_Proxy)
Thanks again for your help,
Nathan
On 07/26/2016 10:30 AM, Alexander Bokovoy wrote:
> On Tue, 26 Jul 2016, malo wrote:
>> Hello,
>>
>> I am currently setting up an architecture involving FreeIPA to
>> provide SSO for SSH to the servers.
>> I have several servers (~1500) in a few datacenters all over the
>> world (North America, South America, Europe, Asia).
>> The idea here was to have 4 masters/replicas per datacenter, with one
>> master/replica involved in a winsync replication process with our AD.
>> Thus, we would not suffer network outages, slow downs or timeouts
>> because each FreeIPA server would have a closer database of users
>> instead of querying a long distance AD.
>>
>> I've managed to setup successfully the winsync replication (after
>> having trouble with replication rights). I then turned on group
>> replication :
>>
>> ldapmodify -x -D "cn=directory manager" -w PASS
>>
>> dn:
>> cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dff\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping
>> tree,cn=config
>> changetype: modify
>> replace: nsds7NewWinGroupSyncEnabled
>> nsds7NewWinGroupSyncEnabled: true
>>
>>
>> I re-initialized the replication but I have no groups.
>> I did a little digging and came on this :
>> https://bugzilla.redhat.com/show_bug.cgi?id=1002414
>> Very unfortunate for me but a few things bother me.
>>
>> It says "reenable" in the RFE and I also found this documentation :
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html
>
> There is a difference between 389-ds winsync and FreeIPA winsync. The
> latter is a simplified version that doesn't see development anymore and
> is not supporting group sync because groups on IPA side are sufficiently
> different from AD groups while generic 389-ds winsync plugin is not
> tuned to IPA DIT.
>
>> It clearly specifies how to sync groups, which I enabled, but
>> nothings happen for me.
>> So, my questions would be :
>> - Is winsync group sync still enabled ?
>> - If not, why and when has it been disabled ?
>> - Is there anyway I could reenable it, by digging into the code ?
>>
>> Group sync seems a really MUST HAVE as a feature for the winsync,
>> since flat hierarchy is not really useful, imho.
> IPA uses flat hierarchy and has no support for non-flat DIT.
>
>> I can't consider an AD Trust architecture, It would be too dangerous
>> since the network connectivity of the AD is not safe enough, I could
>> not risk to block SSH access on my servers because of network lag.
>>
>> Has anyone been in a similar situation ? Do you have implemented AD
>> trust or winsync replication in such a large scale ?
> I cannot tell about actual deployments but there are plenty deployments
> with trust to AD in multiple data centers.
>
> If you need, with FreeIPA 4.0+ you can actually proxy Kerberos
> authentication via IPA servers to AD DCs and also can do offline
> authentication in SSSD.
More information about the Freeipa-users
mailing list