[Freeipa-users] Identification with openLDAP and authorization with FreeIPA

Tue Jan 31 16:29:54 UTC 2017

On 01/31/2017 04:46 PM, Michaël Van de Borne wrote:
> That was the feared, but somehow expected, answer.
>
> Any entry point/documentation about how to start such a script?

Do FreeIPA and OpenLDAP still support the syncrepl protocol?

>
> cheers,
>
> m.
>
> -- 
> *Michaël Van de Borne*
> Free Bird Computing SPRL - Gérant
> 104 rue d'Azebois, 6230 Thiméon
> *Tel:* +32(0)472 695716
> *Skype:* mikemowgli
> *TVA:* BE0637.834.386
> Linkedin profile 
> <https://www.linkedin.com/in/micha%C3%ABl-van-de-borne-56409167>
>
> Le 31-01-17 à 16:42, Alexander Bokovoy a écrit :
>> On ti, 31 tammi 2017, Michaël Van de Borne wrote:
>>> mmmmh, ok, thank you.
>>>
>>> But indeed, I would need HBAC and sudo rules in the future.
>>> So I believe the only exit here is to keep openLDAP and FreeIPA in 
>>> sync.
>>> Any clue on how to do this efficiently?
>> Well, we have 'ipa migrate-ds' functionality but this is not really
>> designed for continuous synchronisation. Neither is using a replication
>> mechanism as that was not designed to deal with inconsistent schema on
>> both sides (OpenLDAP schema is most likely not 1:1 to FreeIPA).
>>
>> Doing a custom add/modify script looks like the only solution.
>>
>>>
>>>
>>> Thank you,
>>>
>>> Cheers,
>>>
>>> m.
>>>
>>> Le 31-01-17 à 16:23, Alexander Bokovoy a écrit :
>>>> On ti, 31 tammi 2017, Michaël Van de Borne wrote:
>>>>> Hello list,
>>>>>
>>>>> Here's my situation:
>>>>> I'm installing Hadoop for a customer, and the Hadoop cluster is 
>>>>> secured with Kerberos. I used FreeIPA as a KDC.
>>>>> The customer uses openLDAP as a directory server.
>>>>>
>>>>> For now, our solution is to copy the whole openLDAP user base to 
>>>>> FreeIPA, and then use FreeIPA for the identification and 
>>>>> authorization (all the keytab stuff).
>>>> you mean authentication, not authorization here.
>>>>
>>>>> But keeping openLDAP and FreeIPA in sync is a nightmare, and I was 
>>>>> wondering something:
>>>>> Would it be possible to configure SSSD to simultaneously target 
>>>>> the openLDAP server to identify a user, and the FreeIPA server to 
>>>>> get the tickets?
>>>> Here is the thing: yes, you can do that by configuring explicitly
>>>> identity and authentication providers in sssd.conf. Set identity
>>>> provider to ldap and authentication provider to krb5, add necessary
>>>> configuration parameters and that would work. No HBAC, no SUDO rules,
>>>> etc, but that's what you want, it seems.
>>>>
>>>> Look at sssd-ldap and sssd-krb5 manual pages.
>>>>
>>>> When you configure identity provider to IPA or AD in sssd.conf, you 
>>>> are
>>>> just setting defaults for all other providers to the defaults of 
>>>> IPA or
>>>> AD provider. If you use a different identity provider, you'd need to
>>>> define proper authentication.
>>>>
>>>>> That way, we can avoid having to keep openLDAP and FreeIPA in sync...
>>>>>
>>>>> _*OR*_
>>>>>
>>>>> Is there an efficient way to keep openLDAP and FreeIPA in sync?
>>>>>
>>>>>
>>>>
>>>>> -- 
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>>
>>>
>>
>
>
>