[Freeipa-users] Identification with openLDAP and authorization with FreeIPA

[Alexander Bokovoy]

On ti, 31 tammi 2017, Michaël Van de Borne wrote:
>Hello list,
>
>Here's my situation:
>I'm installing Hadoop for a customer, and the Hadoop cluster is 
>secured with Kerberos. I used FreeIPA as a KDC.
>The customer uses openLDAP as a directory server.
>
>For now, our solution is to copy the whole openLDAP user base to 
>FreeIPA, and then use FreeIPA for the identification and authorization 
>(all the keytab stuff).
you mean authentication, not authorization here.

>But keeping openLDAP and FreeIPA in sync is a nightmare, and I was 
>wondering something:
>Would it be possible to configure SSSD to simultaneously target the 
>openLDAP server to identify a user, and the FreeIPA server to get the 
>tickets?
Here is the thing: yes, you can do that by configuring explicitly
identity and authentication providers in sssd.conf. Set identity
provider to ldap and authentication provider to krb5, add necessary
configuration parameters and that would work. No HBAC, no SUDO rules,
etc, but that's what you want, it seems.

Look at sssd-ldap and sssd-krb5 manual pages.

When you configure identity provider to IPA or AD in sssd.conf, you are
just setting defaults for all other providers to the defaults of IPA or
AD provider. If you use a different identity provider, you'd need to
define proper authentication.

>That way, we can avoid having to keep openLDAP and FreeIPA in sync...
>
>_*OR*_
>
>Is there an efficient way to keep openLDAP and FreeIPA in sync?
>
>

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy