[Freeipa-users] AD replication and password passthrough

Tue May 24 23:21:49 UTC 2016

We were doing this by utilising overrides (changing user names, /home/ s, etc), but I think we had to back out of that plan because we encountered issues. We may go back.

Using Host Based Access Control (HBAC) and sudo is a powerful set of tools. What did you want to do that wasn’t covered by those three?

L.

From: Redmond, Stacy [mailto:stacy.redmond at blueshieldca.com]
Sent: Wednesday, 25 May 2016 9:15 AM
To: Simpson Lachlan
Subject: RE: AD replication and password passthrough

I am replacing ODS, and would like to replicate AD (ad.foo.com) to my new IPA installation (ipa.foo.com) but in all the documentation it says I have to install passsync on AD to synchronize passwords, I would rather just tell ipa to authorize the user via password from AD.

I have a one way trust setup now, just would rather have everything in IPA, but use AD passwords due to new requirements.

From: Simpson Lachlan [mailto:Lachlan.Simpson at petermac.org]
Sent: Tuesday, May 24, 2016 4:09 PM
To: Redmond, Stacy <stacy.redmond at blueshieldca.com<mailto:stacy.redmond at blueshieldca.com>>
Subject: RE: AD replication and password passthrough

** BSCA security warning: Do not click links or trust the content unless you expected this email and trust the sender – This email originated outside of Blue Shield. **
It depends on what you mean.

If, by replication, you mean using FreeIPA as a backup AD server, it would need to be a two way trust.

If you have a separate subdomain, it’s definitely possible with a one way trust.

Cheers
L.

From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Redmond, Stacy
Sent: Tuesday, 24 May 2016 3:15 AM
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: [Freeipa-users] AD replication and password passthrough

Is there a way to setup replication from AD, and just use passthrough to AD for passwords, vs having to synchronize passwords.  I am getting a lot of pushback from the AD team on installing the password sync software due to issues in the past.  I would like to setup replication, but still use AD to authenticate passwords.
This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160524/48b81496/attachment.htm>