[Freeipa-users] Identification with openLDAP and authorization with FreeIPA
Michaël Van de Borne
michael.van.de.borne at gmail.com
Tue Jan 31 15:41:41 UTC 2017
This would be the best option!
But customer won't allow this :( Since the openLDAP is also used by
other apps.
So I need to sync them. Which means:
- adding the new users (not so difficult)
- removing old user (perhaps not too complicated)
- replicating changes like a password update (for this one, I'm
completely clueless).
any idea?
--
*Michaël Van de Borne*
Free Bird Computing SPRL - Gérant
104 rue d'Azebois, 6230 Thiméon
*Tel:* +32(0)472 695716
*Skype:* mikemowgli
*TVA:* BE0637.834.386
Linkedin profile
<https://www.linkedin.com/in/micha%C3%ABl-van-de-borne-56409167>
Le 31-01-17 à 16:34, Martin Basti a écrit :
>
> Is there a possibility to migrate OpenLDAP to IPA DS and use only one
> source of Identity data?
>
> Martin^2
>
>
> On 31.01.2017 16:30, Michaël Van de Borne wrote:
>> mmmmh, ok, thank you.
>>
>> But indeed, I would need HBAC and sudo rules in the future.
>> So I believe the only exit here is to keep openLDAP and FreeIPA in sync.
>> Any clue on how to do this efficiently?
>>
>>
>> Thank you,
>>
>> Cheers,
>>
>> m.
>>
>> Le 31-01-17 à 16:23, Alexander Bokovoy a écrit :
>>> On ti, 31 tammi 2017, Michaël Van de Borne wrote:
>>>> Hello list,
>>>>
>>>> Here's my situation:
>>>> I'm installing Hadoop for a customer, and the Hadoop cluster is
>>>> secured with Kerberos. I used FreeIPA as a KDC.
>>>> The customer uses openLDAP as a directory server.
>>>>
>>>> For now, our solution is to copy the whole openLDAP user base to
>>>> FreeIPA, and then use FreeIPA for the identification and
>>>> authorization (all the keytab stuff).
>>> you mean authentication, not authorization here.
>>>
>>>> But keeping openLDAP and FreeIPA in sync is a nightmare, and I was
>>>> wondering something:
>>>> Would it be possible to configure SSSD to simultaneously target the
>>>> openLDAP server to identify a user, and the FreeIPA server to get
>>>> the tickets?
>>> Here is the thing: yes, you can do that by configuring explicitly
>>> identity and authentication providers in sssd.conf. Set identity
>>> provider to ldap and authentication provider to krb5, add necessary
>>> configuration parameters and that would work. No HBAC, no SUDO rules,
>>> etc, but that's what you want, it seems.
>>>
>>> Look at sssd-ldap and sssd-krb5 manual pages.
>>>
>>> When you configure identity provider to IPA or AD in sssd.conf, you are
>>> just setting defaults for all other providers to the defaults of IPA or
>>> AD provider. If you use a different identity provider, you'd need to
>>> define proper authentication.
>>>
>>>> That way, we can avoid having to keep openLDAP and FreeIPA in sync...
>>>>
>>>> _*OR*_
>>>>
>>>> Is there an efficient way to keep openLDAP and FreeIPA in sync?
>>>>
>>>>
>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170131/bffe4f95/attachment.htm>
More information about the Freeipa-users
mailing list