<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 05/30/2014 05:00 PM, tizo wrote:<br> </div> <blockquote cite="mid:CAHBowdiSagZ3fDs_aKNNE0YfZ30NUYgYZ2+2fhwLZkbRZk5mHw@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div><br> From: Alexander Bokovoy <abokovoy redhat com><br> To: Sumit Bose <sbose redhat com><br> Cc: freeipa-users redhat com<br> Subject: Re: [Freeipa-users] Trust services<br> Date: Thu, 29 May 2014 02:47:38 -0400 (EDT)<br> <br> ----- Original Message -----<br> > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote:<br> > > I would like to know, if having configured trusts services between FreeIPA<br> > > and Active Directory, allow AD users to authenticate in services that are<br> > > only configured to authenticate against FreeIPA.<br> > > <br> > > For example, having configured the trusts, if I have a mail server that is<br> > > using FreeIPA as its authentication method, can a user A from Active<br> > > Directory, who does not exist in FreeIPA, authenticate in the mail server?.<br> > <br> > It depends a bit on how the users authenticate exactly because IPA<br> > offers Kerberos and LDAP authentication.<br> > <br> > Kerberos should work out of the box because thats one of the trusts<br> > components, trusting Kerberos tickets from the other domain/realm.<br> > <br> > For LDAP authentication you should be able to find the users from the<br> > trusted domain in the compat tree below<br> > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can<br> > do a LDAP bind with the DN form the compat tree and the password used in<br> > AD.<br> Please note that the latter is valid only for FreeIPA 3.3 and later. <br> FreeIPA 3.0 does not support authentication over LDAP in the compat tree.<br> -- <br> / Alexander Bokovoy<br> <br> </div> Ok. I will definitively use Kerberos. But looking at the diagram of page 22 in <a moz-do-not-send="true" href="http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf">http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf</a> I see that SSSD in the GNU/Linux host is authenticating against both Active Directory and FreeIPA. Does the email server that I mentioned before, have to be configured in a similar way that SSSD in the GNU/Linux host of the example? Or is just enough that it is configured against the FreeIPA Kerberos and nothing else?.<br> </div> </div> </blockquote> <br> You configure client (SSSD) to point to IPA but it will discover that IPA is in trust relations and would know how to deal with tickets coming from AD side.<br> This is why there are two arrows. They show communication.<br> <br> <blockquote cite="mid:CAHBowdiSagZ3fDs_aKNNE0YfZ30NUYgYZ2+2fhwLZkbRZk5mHw@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <br> </div> Thanks very much.<br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>