<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1">That was the feared, but somehow expected, answer.<br>
<br>
Any entry point/documentation about how to start such a script?<br>
<br>
cheers,<br>
<br>
m.<br>
</font>
<div class="moz-signature"><br>
--
<br>
<b>Michaël Van de Borne</b><br>
Free Bird Computing SPRL - Gérant<br>
104 rue d'Azebois, 6230 Thiméon<br>
<b>Tel:</b> +32(0)472 695716<br>
<b>Skype:</b> mikemowgli<br>
<b>TVA:</b> BE0637.834.386<br>
<a
href="https://www.linkedin.com/in/micha%C3%ABl-van-de-borne-56409167">Linkedin
profile</a>
<br>
<br>
</div>
<div class="moz-cite-prefix">Le 31-01-17 à 16:42, Alexander Bokovoy
a écrit :<br>
</div>
<blockquote cite="mid:20170131154235.5ktjbxqo3nskgaab@redhat.com"
type="cite">On ti, 31 tammi 2017, Michaël Van de Borne wrote:
<br>
<blockquote type="cite">mmmmh, ok, thank you.
<br>
<br>
But indeed, I would need HBAC and sudo rules in the future.
<br>
So I believe the only exit here is to keep openLDAP and FreeIPA
in sync.
<br>
Any clue on how to do this efficiently?
<br>
</blockquote>
Well, we have 'ipa migrate-ds' functionality but this is not
really
<br>
designed for continuous synchronisation. Neither is using a
replication
<br>
mechanism as that was not designed to deal with inconsistent
schema on
<br>
both sides (OpenLDAP schema is most likely not 1:1 to FreeIPA).
<br>
<br>
Doing a custom add/modify script looks like the only solution.
<br>
<br>
<blockquote type="cite">
<br>
<br>
Thank you,
<br>
<br>
Cheers,
<br>
<br>
m.
<br>
<br>
Le 31-01-17 à 16:23, Alexander Bokovoy a écrit :
<br>
<blockquote type="cite">On ti, 31 tammi 2017, Michaël Van de
Borne wrote:
<br>
<blockquote type="cite">Hello list,
<br>
<br>
Here's my situation:
<br>
I'm installing Hadoop for a customer, and the Hadoop cluster
is secured with Kerberos. I used FreeIPA as a KDC.
<br>
The customer uses openLDAP as a directory server.
<br>
<br>
For now, our solution is to copy the whole openLDAP user
base to FreeIPA, and then use FreeIPA for the identification
and authorization (all the keytab stuff).
<br>
</blockquote>
you mean authentication, not authorization here.
<br>
<br>
<blockquote type="cite">But keeping openLDAP and FreeIPA in
sync is a nightmare, and I was wondering something:
<br>
Would it be possible to configure SSSD to simultaneously
target the openLDAP server to identify a user, and the
FreeIPA server to get the tickets?
<br>
</blockquote>
Here is the thing: yes, you can do that by configuring
explicitly
<br>
identity and authentication providers in sssd.conf. Set
identity
<br>
provider to ldap and authentication provider to krb5, add
necessary
<br>
configuration parameters and that would work. No HBAC, no SUDO
rules,
<br>
etc, but that's what you want, it seems.
<br>
<br>
Look at sssd-ldap and sssd-krb5 manual pages.
<br>
<br>
When you configure identity provider to IPA or AD in
sssd.conf, you are
<br>
just setting defaults for all other providers to the defaults
of IPA or
<br>
AD provider. If you use a different identity provider, you'd
need to
<br>
define proper authentication.
<br>
<br>
<blockquote type="cite">That way, we can avoid having to keep
openLDAP and FreeIPA in sync...
<br>
<br>
_*OR*_
<br>
<br>
Is there an efficient way to keep openLDAP and FreeIPA in
sync?
<br>
<br>
<br>
</blockquote>
<br>
<blockquote type="cite">-- <br>
Manage your subscription for the Freeipa-users mailing list:
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
<br>
Go to <a class="moz-txt-link-freetext" href="http://freeipa.org">http://freeipa.org</a> for more info on the project
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>