<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Is there a possibility to migrate OpenLDAP to IPA DS and use
only one source of Identity data?</p>
<p>Martin^2<br>
</p>
<br>
<div class="moz-cite-prefix">On 31.01.2017 16:30, Michaël Van de
Borne wrote:<br>
</div>
<blockquote
cite="mid:204e9da7-ff30-9a36-e8d4-97c87c4069ea@gmail.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<font size="-1">mmmmh, ok, thank you.<br>
<br>
But indeed, I would need HBAC and sudo rules in the future.<br>
So I believe the only exit here is to keep openLDAP and FreeIPA
in sync.<br>
Any clue on how to do this efficiently?<br>
</font>
<div class="moz-signature"><br>
<br>
Thank you,<br>
<br>
Cheers,<br>
<br>
m. <br>
<br>
</div>
<div class="moz-cite-prefix">Le 31-01-17 à 16:23, Alexander
Bokovoy a écrit :<br>
</div>
<blockquote cite="mid:20170131152327.4edj2n6g66qriif5@redhat.com"
type="cite">On ti, 31 tammi 2017, Michaël Van de Borne wrote: <br>
<blockquote type="cite">Hello list, <br>
<br>
Here's my situation: <br>
I'm installing Hadoop for a customer, and the Hadoop cluster
is secured with Kerberos. I used FreeIPA as a KDC. <br>
The customer uses openLDAP as a directory server. <br>
<br>
For now, our solution is to copy the whole openLDAP user base
to FreeIPA, and then use FreeIPA for the identification and
authorization (all the keytab stuff). <br>
</blockquote>
you mean authentication, not authorization here. <br>
<br>
<blockquote type="cite">But keeping openLDAP and FreeIPA in sync
is a nightmare, and I was wondering something: <br>
Would it be possible to configure SSSD to simultaneously
target the openLDAP server to identify a user, and the FreeIPA
server to get the tickets? <br>
</blockquote>
Here is the thing: yes, you can do that by configuring
explicitly <br>
identity and authentication providers in sssd.conf. Set identity
<br>
provider to ldap and authentication provider to krb5, add
necessary <br>
configuration parameters and that would work. No HBAC, no SUDO
rules, <br>
etc, but that's what you want, it seems. <br>
<br>
Look at sssd-ldap and sssd-krb5 manual pages. <br>
<br>
When you configure identity provider to IPA or AD in sssd.conf,
you are <br>
just setting defaults for all other providers to the defaults of
IPA or <br>
AD provider. If you use a different identity provider, you'd
need to <br>
define proper authentication. <br>
<br>
<blockquote type="cite">That way, we can avoid having to keep
openLDAP and FreeIPA in sync... <br>
<br>
_*OR*_ <br>
<br>
Is there an efficient way to keep openLDAP and FreeIPA in
sync? <br>
<br>
<br>
</blockquote>
<br>
<blockquote type="cite">-- <br>
Manage your subscription for the Freeipa-users mailing list: <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
<br>
Go to <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://freeipa.org">http://freeipa.org</a> for more
info on the project <br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>