<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/11/2014 04:00 PM, William Muriithi wrote:
<blockquote
cite="mid:CAE9rU+6dihTMqeb3jGXxphN3-vjuP7K++T5Z10sT5oYrY5WHCg@mail.gmail.com"
type="cite">
<p><br>
> >>>> Two questions:<br>
> >>>><br>
> >>>> - Any ETA on an updated 3.3.3 Users Guide?<br>
> >>><br>
> >>> Our current plan is to release next
documentation release along with<br>
> >>> FreeIPA<br>
> >>> 3.4, when more documentation fixes are
factored in.<br>
> >>></p>
<p>Would you by any chance know when FreeIPA 3.4 will be realised?</p>
<p>Looking to update a version 2.2 and would wait for 3.4 if its
reasonably soon.</p>
</blockquote>
<br>
We planned for Feb but it seems like it would slip. How much is
unclear.<br>
We might reduce the scope and cut it earlier (I mean do not slip too
much) or try to keep the scope and extend the time couple months.<br>
We will decide in early Feb.<br>
<br>
Sorry not to have a more precise answer.<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<blockquote
cite="mid:CAE9rU+6dihTMqeb3jGXxphN3-vjuP7K++T5Z10sT5oYrY5WHCg@mail.gmail.com"
type="cite">
<p>William </p>
<p>> >>> Just in case you would like to check the most
recent status of the<br>
> >>> documentation work (or even help us with it),
this page describes<br>
> >>> the details<br>
> >>><br>
> >>> <a moz-do-not-send="true"
href="http://www.freeipa.org/page/Contribute/Documentation">http://www.freeipa.org/page/Contribute/Documentation</a><br>
> >>><br>
> >>> including instructions how to build HTMLs out
of our git tree.<br>
> >>><br>
> >><br>
> >> Thanks, I'll take a look.<br>
> >><br>
> >>>> - Is AD/IPA synchronization still
supported in 3.3.3? Will it always?<br>
> >>><br>
> >>> The AD/IPA synchronization is supported only
in terms in bug fixes.<br>
> >>> As for the<br>
> >>> enhancements, the FreeIPA core team is
focusing on the AD trusts:<br>
> >>><br>
> >>> <a moz-do-not-send="true"
href="http://www.freeipa.org/page/Trusts">http://www.freeipa.org/page/Trusts</a><br>
> >>><br>
> >>> (That does not mean we are not open to
contributions from the<br>
> >>> community)<br>
> >>><br>
> >>> Martin<br>
> >>><br>
> >><br>
> >> Thanks for the that link - the video was helpful.
Although I'm<br>
> >> afraid that is<br>
> >> making me lean towards implementing the not
recommended "split brain"<br>
> >> approach. Although one thing that is not clear to
me is weather<br>
> >> doing this<br>
> >> consumes CALs for the linux machines since they
authenticate against AD.<br>
> > Linux machines do not authenticate against AD DC in
single sign-on<br>
> > case. Instead, usually Windows users obtain their
Kerberos TGT upon<br>
> > logon to<br>
> > Windows machines and then use it to obtain tickets to
services on Linux<br>
> > machines, by obtaining cross-realm TGT from AD DC and
presenting it to<br>
> > IPA KDC as a proof. So in single sign-on case it works
fine --<br>
> > authentication against AD happens on AD side.<br>
> ><br>
> > Of course, when AD users attempt to log in with
password to IPA<br>
> > resources, SSSD would perform communication with AD DC
to obtain TGT on<br>
> > their behalf. There is AD DC involved in making a
decision whether<br>
> > this AD user is allowed to authenticate. On Kerberos
level, however,<br>
> > there are no limitations from where the authentication
request comes<br>
> > (unless it is restricted with the firewalls). CALs
play role on using<br>
> > Windows resources after authentication happened but in
IPA AD trusts<br>
> > case currently only IPA resources can be consumed by
AD users, IPA users<br>
> > cannot yet consume Windows resources and therefore get
assigned rights<br>
> > to access them.<br>
> ><br>
><br>
> To clarify the CAL part.<br>
> The CALs come in two shapes: per user and per host.<br>
> If it is per user and you have users in AD then regardless
of how you<br>
> integrate with IPA you have to pay these CALs.<br>
> If your CALs is around hosts then they are based on the
count of the<br>
> computer objects in AD.<br>
> If the client system is joined directly and has kerberos
identity in AD<br>
> domain you have an object in AD that counts towards CALs.<br>
> If you have client joined to IPA and either trust or sync
solution in<br>
> place the client is not a member of AD (no computer object
in AD) and<br>
> this does not count towards CALs.<br>
><br>
> HTH<br>
><br>
><br>
><br>
><br>
> --<br>
> Thank you,<br>
> Dmitri Pal<br>
><br>
> Sr. Engineering Manager for IdM portfolio<br>
> Red Hat Inc.<br>
><br>
></p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>