[Freeipa-users] Identification with openLDAP and authorization with FreeIPA
Alexander Bokovoy
abokovoy at redhat.com
Tue Jan 31 15:42:35 UTC 2017
On ti, 31 tammi 2017, Michaël Van de Borne wrote:
>mmmmh, ok, thank you.
>
>But indeed, I would need HBAC and sudo rules in the future.
>So I believe the only exit here is to keep openLDAP and FreeIPA in sync.
>Any clue on how to do this efficiently?
Well, we have 'ipa migrate-ds' functionality but this is not really
designed for continuous synchronisation. Neither is using a replication
mechanism as that was not designed to deal with inconsistent schema on
both sides (OpenLDAP schema is most likely not 1:1 to FreeIPA).
Doing a custom add/modify script looks like the only solution.
>
>
>Thank you,
>
>Cheers,
>
>m.
>
>Le 31-01-17 à 16:23, Alexander Bokovoy a écrit :
>>On ti, 31 tammi 2017, Michaël Van de Borne wrote:
>>>Hello list,
>>>
>>>Here's my situation:
>>>I'm installing Hadoop for a customer, and the Hadoop cluster is
>>>secured with Kerberos. I used FreeIPA as a KDC.
>>>The customer uses openLDAP as a directory server.
>>>
>>>For now, our solution is to copy the whole openLDAP user base to
>>>FreeIPA, and then use FreeIPA for the identification and
>>>authorization (all the keytab stuff).
>>you mean authentication, not authorization here.
>>
>>>But keeping openLDAP and FreeIPA in sync is a nightmare, and I was
>>>wondering something:
>>>Would it be possible to configure SSSD to simultaneously target
>>>the openLDAP server to identify a user, and the FreeIPA server to
>>>get the tickets?
>>Here is the thing: yes, you can do that by configuring explicitly
>>identity and authentication providers in sssd.conf. Set identity
>>provider to ldap and authentication provider to krb5, add necessary
>>configuration parameters and that would work. No HBAC, no SUDO rules,
>>etc, but that's what you want, it seems.
>>
>>Look at sssd-ldap and sssd-krb5 manual pages.
>>
>>When you configure identity provider to IPA or AD in sssd.conf, you are
>>just setting defaults for all other providers to the defaults of IPA or
>>AD provider. If you use a different identity provider, you'd need to
>>define proper authentication.
>>
>>>That way, we can avoid having to keep openLDAP and FreeIPA in sync...
>>>
>>>_*OR*_
>>>
>>>Is there an efficient way to keep openLDAP and FreeIPA in sync?
>>>
>>>
>>
>>>--
>>>Manage your subscription for the Freeipa-users mailing list:
>>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>>Go to http://freeipa.org for more info on the project
>>
>>
>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list