[Freeipa-users] Identification with openLDAP and authorization with FreeIPA
Michaël Van de Borne
michael.van.de.borne at gmail.com
Tue Jan 31 15:46:47 UTC 2017
That was the feared, but somehow expected, answer.
Any entry point/documentation about how to start such a script?
cheers,
m.
--
*Michaël Van de Borne*
Free Bird Computing SPRL - Gérant
104 rue d'Azebois, 6230 Thiméon
*Tel:* +32(0)472 695716
*Skype:* mikemowgli
*TVA:* BE0637.834.386
Linkedin profile
<https://www.linkedin.com/in/micha%C3%ABl-van-de-borne-56409167>
Le 31-01-17 à 16:42, Alexander Bokovoy a écrit :
> On ti, 31 tammi 2017, Michaël Van de Borne wrote:
>> mmmmh, ok, thank you.
>>
>> But indeed, I would need HBAC and sudo rules in the future.
>> So I believe the only exit here is to keep openLDAP and FreeIPA in sync.
>> Any clue on how to do this efficiently?
> Well, we have 'ipa migrate-ds' functionality but this is not really
> designed for continuous synchronisation. Neither is using a replication
> mechanism as that was not designed to deal with inconsistent schema on
> both sides (OpenLDAP schema is most likely not 1:1 to FreeIPA).
>
> Doing a custom add/modify script looks like the only solution.
>
>>
>>
>> Thank you,
>>
>> Cheers,
>>
>> m.
>>
>> Le 31-01-17 à 16:23, Alexander Bokovoy a écrit :
>>> On ti, 31 tammi 2017, Michaël Van de Borne wrote:
>>>> Hello list,
>>>>
>>>> Here's my situation:
>>>> I'm installing Hadoop for a customer, and the Hadoop cluster is
>>>> secured with Kerberos. I used FreeIPA as a KDC.
>>>> The customer uses openLDAP as a directory server.
>>>>
>>>> For now, our solution is to copy the whole openLDAP user base to
>>>> FreeIPA, and then use FreeIPA for the identification and
>>>> authorization (all the keytab stuff).
>>> you mean authentication, not authorization here.
>>>
>>>> But keeping openLDAP and FreeIPA in sync is a nightmare, and I was
>>>> wondering something:
>>>> Would it be possible to configure SSSD to simultaneously target the
>>>> openLDAP server to identify a user, and the FreeIPA server to get
>>>> the tickets?
>>> Here is the thing: yes, you can do that by configuring explicitly
>>> identity and authentication providers in sssd.conf. Set identity
>>> provider to ldap and authentication provider to krb5, add necessary
>>> configuration parameters and that would work. No HBAC, no SUDO rules,
>>> etc, but that's what you want, it seems.
>>>
>>> Look at sssd-ldap and sssd-krb5 manual pages.
>>>
>>> When you configure identity provider to IPA or AD in sssd.conf, you are
>>> just setting defaults for all other providers to the defaults of IPA or
>>> AD provider. If you use a different identity provider, you'd need to
>>> define proper authentication.
>>>
>>>> That way, we can avoid having to keep openLDAP and FreeIPA in sync...
>>>>
>>>> _*OR*_
>>>>
>>>> Is there an efficient way to keep openLDAP and FreeIPA in sync?
>>>>
>>>>
>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170131/7a198c16/attachment.htm>
More information about the Freeipa-users
mailing list