[Freeipa-users] Identification with openLDAP and authorization with FreeIPA

Michaël Van de Borne michael.van.de.borne at gmail.com
Tue Jan 31 15:30:33 UTC 2017 

mmmmh, ok, thank you.

But indeed, I would need HBAC and sudo rules in the future.
So I believe the only exit here is to keep openLDAP and FreeIPA in sync.
Any clue on how to do this efficiently?


Thank you,

Cheers,

m.

Le 31-01-17 à 16:23, Alexander Bokovoy a écrit :
> On ti, 31 tammi 2017, Michaël Van de Borne wrote:
>> Hello list,
>>
>> Here's my situation:
>> I'm installing Hadoop for a customer, and the Hadoop cluster is 
>> secured with Kerberos. I used FreeIPA as a KDC.
>> The customer uses openLDAP as a directory server.
>>
>> For now, our solution is to copy the whole openLDAP user base to 
>> FreeIPA, and then use FreeIPA for the identification and 
>> authorization (all the keytab stuff).
> you mean authentication, not authorization here.
>
>> But keeping openLDAP and FreeIPA in sync is a nightmare, and I was 
>> wondering something:
>> Would it be possible to configure SSSD to simultaneously target the 
>> openLDAP server to identify a user, and the FreeIPA server to get the 
>> tickets?
> Here is the thing: yes, you can do that by configuring explicitly
> identity and authentication providers in sssd.conf. Set identity
> provider to ldap and authentication provider to krb5, add necessary
> configuration parameters and that would work. No HBAC, no SUDO rules,
> etc, but that's what you want, it seems.
>
> Look at sssd-ldap and sssd-krb5 manual pages.
>
> When you configure identity provider to IPA or AD in sssd.conf, you are
> just setting defaults for all other providers to the defaults of IPA or
> AD provider. If you use a different identity provider, you'd need to
> define proper authentication.
>
>> That way, we can avoid having to keep openLDAP and FreeIPA in sync...
>>
>> _*OR*_
>>
>> Is there an efficient way to keep openLDAP and FreeIPA in sync?
>>
>>
>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170131/041250e3/attachment.htm>

More information about the Freeipa-users mailing list