<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/26/2013 01:31 AM, Trey Dockendorf wrote:
<blockquote
cite="mid:CAN0oX1aQtREjw4BM2J1F9B=6r-gVKX+bfpzPws+rD9WJPf0_uw@mail.gmail.com"
type="cite">
<p dir="ltr"><br>
On Feb 25, 2013 1:23 AM, "Dmitri Pal" <<a
moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>
wrote:<br>
><br>
> On 02/23/2013 10:33 PM, Trey Dockendorf wrote:<br>
> > I just begun evaluating FreeIPA, after having
successfully used 389ds<br>
> > for a few months. The move from 389 ds to FreeIPA is
to leverage the<br>
> > authorization for host logins and also for simpler
management. The<br>
> > University I am deploying at has a campus wide KDC and
for security<br>
> > and audit reasons I prefer to point my authentication
services at that<br>
> > Kerberos realm rather than storing passwords. I have
successfully<br>
> > implemented this using the 389 ds pam pass through
authentication<br>
> > plug-in , but have not found any documentation on how
to do this same<br>
> > thing with FreeIPA.<br>
> ><br>
> > The complication with doing this is I do not have even
a 1 way trust<br>
> > with the KDC. Getting a trust (even 1-way) is very
difficult if not<br>
> > impossible, but so far I've been able to make PAM work
with that<br>
> > situation both using local authentication and now 389
ds, both through<br>
> > PAM. Is it possible to have FreeIPA query a remote
KDC while still<br>
> > being able to fallback to the local password store (ie
external users<br>
> > not in campus domain).<br>
><br>
> IPA uses the 389 DS so it might be possible to configure
PAM pass<br>
> through but there might be implications because if users
are not in IPA<br>
> you would not get a ticket and since you cant get a ticket
you can't use<br>
> UI and CLI. You can still bind using LDAP though as you do
with the 389.<br>
> So to manage IPA you would still have to have a user in
IPA. However you<br>
> will have two KDCs and I do not know what implications
there would be<br>
> for the clients, they might be confused.<br>
> Frankly you are better off with 389 now untill we make
setting up trusts<br>
> with other IPAs or MIT KDCs simple. We did that for AD but
it requires a<br>
> clean DNS setup. I suspect DNS setup will be an issue in
any case.<br>
><br>
> ><br>
> > Thanks<br>
> > - Trey<br>
> ><br>
> > _______________________________________________<br>
> > Freeipa-users mailing list<br>
> > <a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> > <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
><br>
> --<br>
> Thank you,<br>
> Dmitri Pal<br>
><br>
> Sr. Engineering Manager for IdM portfolio<br>
> Red Hat Inc.<br>
><br>
><br>
> -------------------------------<br>
> Looking to carve out IT costs?<br>
> <a moz-do-not-send="true"
href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></p>
<p dir="ltr">Thanks for the response! I do plan to have all my
users in freeIPA. My goal is to have my freeIPA install just
attempt a password authentication against external KDC via pam
on the IPA server before trying the local password store. With
my current 389 setup, clients are unaware of our campus KDC, the
authentication is handled my 389 server and currently users in
my LDAP who have campus accounts get their password verified via
PAM and others in my LDAP use the local password stored in 389.</p>
<p dir="ltr">The aspects of IPA aside from 389 are where my
uncertainty lies. For example, if I have LDAP authenticate
against an external KDC via PAM, can the user still get a ticket
from my IPA? </p>
<p dir="ltr">Also getting a trust may not be possible even if
freeipa makes the process easier. This is a politics issue with
our campus' main IT group and something I've worked around thus
far.</p>
<p dir="ltr">Is there anything in changes of the stock 389 that
would prevent this from working in IPA? Also is there a
preferred method for enabling plugins in IPA? Also how could I
test this? Would a client machine joined to my IPA install be
the best method?</p>
<p dir="ltr">Thanks<br>
- Trey</p>
</blockquote>
If you hit IPA with a kerberos authentication to the best of my
knowledge KDC will read the data from LDAP and use it for
authentication. It would not do PAM proxy in this case. The pam
proxy would be possible only for the LDAP binds so I am not sure
whether things would work for you.<br>
<br>
I see that you try to augment the existing infrastructure but I am
not sure I have a clear picture in my mind of the architecture you
envision.<br>
Is there any chance that you can put together a diagram? <br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>