<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/30/2014 08:23 PM, tizo wrote:<br>
</div>
<blockquote
cite="mid:CAHBowdhG9uLxvMxEvLJtKzGovN3CKpoYLBhPVsrYpcsnY4=25g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, May 30, 2014 at 6:40 PM,
Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 05/30/2014 05:00 PM, tizo wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
From: Alexander Bokovoy <abokovoy
redhat com><br>
To: Sumit Bose <sbose redhat com><br>
Cc: freeipa-users redhat com<br>
Subject: Re: [Freeipa-users] Trust
services<br>
Date: Thu, 29 May 2014 02:47:38 -0400
(EDT)<br>
<br>
----- Original Message -----<br>
> On Wed, May 28, 2014 at 10:47:13AM
-0300, tizo wrote:<br>
> > I would like to know, if having
configured trusts services between FreeIPA<br>
> > and Active Directory, allow AD
users to authenticate in services that are<br>
> > only configured to authenticate
against FreeIPA.<br>
> > <br>
> > For example, having configured the
trusts, if I have a mail server that is<br>
> > using FreeIPA as its
authentication method, can a user A from
Active<br>
> > Directory, who does not exist in
FreeIPA, authenticate in the mail server?.<br>
> <br>
> It depends a bit on how the users
authenticate exactly because IPA<br>
> offers Kerberos and LDAP
authentication.<br>
> <br>
> Kerberos should work out of the box
because thats one of the trusts<br>
> components, trusting Kerberos tickets
from the other domain/realm.<br>
> <br>
> For LDAP authentication you should be
able to find the users from the<br>
> trusted domain in the compat tree below<br>
> cn=compat,dc=your,dc=ipa,dc=domain . To
authenticate the user you can<br>
> do a LDAP bind with the DN form the
compat tree and the password used in<br>
> AD.<br>
Please note that the latter is valid only
for FreeIPA 3.3 and later. <br>
FreeIPA 3.0 does not support authentication
over LDAP in the compat tree.<br>
-- <br>
/ Alexander Bokovoy<br>
<br>
</div>
Ok. I will definitively use Kerberos. But
looking at the diagram of page 22 in <a
moz-do-not-send="true"
href="http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf"
target="_blank">http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf</a>
I see that SSSD in the GNU/Linux host is
authenticating against both Active Directory
and FreeIPA. Does the email server that I
mentioned before, have to be configured in a
similar way that SSSD in the GNU/Linux host of
the example? Or is just enough that it is
configured against the FreeIPA Kerberos and
nothing else?.<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
You configure client (SSSD) to point to IPA but it will
discover that IPA is in trust relations and would know
how to deal with tickets coming from AD side.<br>
This is why there are two arrows. They show
communication.<br>
</div>
</blockquote>
</div>
<br>
</div>
<div class="gmail_extra">Ok. And what about a mail server?. We
are planning to use Zimbra, and we want that users from both
FreeIPA and AD use it. Could we just configure it to
authenticate against FreeIPA Kerberos?. Or do we have to make
something else?.<br>
</div>
</div>
</blockquote>
How do you plan to configure it? How can it be configured?<br>
I assume we are talking about Zimbra web interface, right?<br>
<br>
If Zimbra natively supports Kerberos then I would<br>
1) Make Zimbra host system a member of the IPA domain<br>
2) Make Zimbra a Kerberos service in IPA domain<br>
3) Configure mod_auth_kerb or equivalent capbility for Zimbra to
accept Kerberos tickets<br>
4) Configure Zimbra to get account information from IPA compat tree
- this way AD and IPA users will be available to it via LDAP<br>
5) In case there is no ticket Zimbra would prompt user for user name
and password and bind against IPA compat tree thus allowing
authentication for IPA and trusted users.<br>
<br>
In future when the world is old and wise I hope something like this
[1] would be possible with Zimbra too.<br>
<br>
[1] <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Web_App_Authentication">http://www.freeipa.org/page/Web_App_Authentication</a><br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>