<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 01/13/2014 06:29 PM, Nordgren, Bryce L -FS wrote: <blockquote cite="mid:82E7C9A01FD0764CACDD35D10F5DFB6E66C085@001FSN2MPN1-044.001f.mgd2.msft.net" type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <style>  </style> <div class="WordSection1"> Hello, I manage a suite of machines and services which are used for collaborative projects with external partners. I want to allow users within our organization to authenticate with their existing Active Directory accounts, and I have set up an “External Users” LDAP directory to establish identities for our partners. I have an LDAP server set up which merges the two directories and which forwards requests on to the correct directory. I like the idea of FreeIPA, however, I need support for a one-way trust. I don’t have the ability to modify any entries in our AD server, but I do have a normal user account (hence I can bind to AD’s LDAP interface). However, I think this is kind of a moot point since external users should under no circumstances be allowed access to our internal network/services. Read-only access to AD is just peachy. I found this old message (June 2012) on your mailing list which suggests one-way trusts may be on your radar. [1] However, I looked through your Trac tickets and didn’t see any follow up. Did I miss something? Is this already implemented, or are plans in place? </div> </blockquote> Just to be sure I understand. You have internal users - they are in AD. You have external users - they are in LDAP. You merge two directories and you want to replace this setup with IPA. IPA can trust AD. Formally it is a mutual trust but in reality IPA does not have global catalog support for users in IPA to be able to access the resources in AD. So it is one way trust due to limited functionality. The global catalog support is being worked on. As soon as it is implemented we will add more granularity to the way the trusts are established and thus allow formal one way trusts. It seems that to support your use case you would need to make the external users be IPA users and make AD and IPA trust each other. Also if external users do not authenticate using Kerberos (for example they always use a special portal) then it does not matter what trust is between AD and IPA because those users will not have kerberos tickets that are leveraged in SSO in trust case. HTH. <blockquote cite="mid:82E7C9A01FD0764CACDD35D10F5DFB6E66C085@001FSN2MPN1-044.001f.mgd2.msft.net" type="cite"> <div class="WordSection1"> Thanks much, Bryce [1] <a class="moz-txt-link-freetext" href="https://www.redhat.com/archives/freeipa-users/2012-June/msg00206.html">https://www.redhat.com/archives/freeipa-users/2012-June/msg00206.html</a> </div> This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>