[Freeipa-users] Identification with openLDAP and authorization with FreeIPA

Martin Basti mbasti at redhat.com
Tue Jan 31 15:34:10 UTC 2017 

Is there a possibility to migrate OpenLDAP  to IPA DS and use only one 
source of Identity data?

Martin^2


On 31.01.2017 16:30, Michaël Van de Borne wrote:
> mmmmh, ok, thank you.
>
> But indeed, I would need HBAC and sudo rules in the future.
> So I believe the only exit here is to keep openLDAP and FreeIPA in sync.
> Any clue on how to do this efficiently?
>
>
> Thank you,
>
> Cheers,
>
> m.
>
> Le 31-01-17 à 16:23, Alexander Bokovoy a écrit :
>> On ti, 31 tammi 2017, Michaël Van de Borne wrote:
>>> Hello list,
>>>
>>> Here's my situation:
>>> I'm installing Hadoop for a customer, and the Hadoop cluster is 
>>> secured with Kerberos. I used FreeIPA as a KDC.
>>> The customer uses openLDAP as a directory server.
>>>
>>> For now, our solution is to copy the whole openLDAP user base to 
>>> FreeIPA, and then use FreeIPA for the identification and 
>>> authorization (all the keytab stuff).
>> you mean authentication, not authorization here.
>>
>>> But keeping openLDAP and FreeIPA in sync is a nightmare, and I was 
>>> wondering something:
>>> Would it be possible to configure SSSD to simultaneously target the 
>>> openLDAP server to identify a user, and the FreeIPA server to get 
>>> the tickets?
>> Here is the thing: yes, you can do that by configuring explicitly
>> identity and authentication providers in sssd.conf. Set identity
>> provider to ldap and authentication provider to krb5, add necessary
>> configuration parameters and that would work. No HBAC, no SUDO rules,
>> etc, but that's what you want, it seems.
>>
>> Look at sssd-ldap and sssd-krb5 manual pages.
>>
>> When you configure identity provider to IPA or AD in sssd.conf, you are
>> just setting defaults for all other providers to the defaults of IPA or
>> AD provider. If you use a different identity provider, you'd need to
>> define proper authentication.
>>
>>> That way, we can avoid having to keep openLDAP and FreeIPA in sync...
>>>
>>> _*OR*_
>>>
>>> Is there an efficient way to keep openLDAP and FreeIPA in sync?
>>>
>>>
>>
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170131/e2de2450/attachment.htm>

More information about the Freeipa-users mailing list