[Freeipa-users] Fwd: Deployment query

Sambit Nayak sambitnayak at gmail.com
Thu Nov 10 15:23:39 UTC 2016 

Hi everyone,

Requesting answers to some queries regarding FreeIPA deployment.

Here is a short description of the deployment scenario.

User/group identities are present in multiple identity/authentication
sources - such as Windows AD, LDAP/Kerberos. The identity source servers -
such as Windows AD Domain Controller - could be in multiple data centers
across WAN/internet.

Goal is to make a set of Linux (client) hosts access and authenticate such
identities. The Linux client hosts could be in a separate data center from
one or more such identity sources.

Will a SSSD/FreeIPA based deployment work here?

- Set up a FreeIPA server (and possibly replicas) in the Linux hosts data
center, and set up the Linux hosts to use SSSD and be enrolled in the
FreeIPA realm

- Set up cross-forest trusts between FreeIPA and (one or more) Windows AD
forests.

             - If FreeIPA server and Windows AD domain controllers have
their system clock synchronized (NTP or otherwise), then would it work even
though for some reason, the local time zone on the servers have been
configured differently? For instance, local time zone on FreeIPA server is
America/New_York and that on Windows AD DC is in Europe/London, but their
system clock are set to UTC.
            I understand its better to have servers always set their clock
set to UTC, but still just to be sure, hence asking. Plus, this FreeIPA
webpage says time zone settings on FreeIPA and WindowsAD must be same :
https://www.freeipa.org/page/Active_Directory_trust_setup#
Date.2Ftime_settings
> Date/time settings
>
> Make sure both timezone settings and date/time settings on both servers
match.

And yes, system clock on Linux client hosts running SSSD will also be same
as on FreeIPA server.


- SSSD on FreeIPA-enrolled Linux hosts can identify/authenticate identities
from Windows AD through FreeIPA trust.

But what about identities in other stores - like simple LDAP, or another
Kerberos realm? Can FreeIPA act as a "single channel" to all Linux SSSD
client hosts for such identities, or does SSSD on the individual Linux
hosts have to directly interact with the non-Windows AD identity sources?

I read some information that FreeIPA server itself can have "trust" with
Windows AD realms only as of now, hence asking...


- Regarding connectivity between FreeIPA server (and/or SSSD Linux client
hosts) and the identity source servers (Windows AD DC, etc.), it will be
through something like VPN over WAN/internet. Will that be advisable?


Thanks & Regards,
Sambit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161110/6956153b/attachment.htm>

More information about the Freeipa-users mailing list