On Tue, Nov 21, 2017 at 08:14:49AM -0500, Rob Crittenden via FreeIPA-users 
wrote:
> Николай Савельев via FreeIPA-users wrote:
> > Hi.
> > I asked about Owncloud, Zimbra, etc autentification in freeipa with AD 
> > trust.
> > I was offered to use SAML.
> > But I dont undestand SAML. It very dificult for me.
> > I only want use LDAP for autentification as in this artikle 
> > https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA
> > Or this 
> > https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA
> > 
> > Articles work fine but only for freeipa users. It dont work for AD users 
> > from trusted domain.
> > 
> > I found Red Hat documentation for sinchronising AD with IPA 
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory
> > 
> > If i do it i can see AD user in ldap requests for ipa server?
> > 
> 
> If you do winsync instead of AD trust then yes, the AD entries will
> reside in the IPA LDAP server.
> 
> For passwords to work you'll need to install the passsync service on
> every AD DC and any AD user that you want to authenticate will need to
> reset their password for it work work when authenticating against IPA.
> 
> I agree that SAML can be confusing and difficult but IMHO it is a far,
> far better path than co-mingling your AD and IPA entries using winsync.
> winsync is not recommended.

I think the better reference in the documentation is
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-legacy

If there is a trust to an AD forest and 'ipa-adtrust-install
--enable-compat' was called. there will be a special sub-tree in
FreeIPA's LDAP tree cn=compat,dc=ipa,dc=domain. AD user can be searched
in this sub-tree and if the user was found you can the the DN of the
user to bind to FreeIPA's LDAP server with the AD password.

Btw, I guess Owncloud supports PAM authentication as well, in this case
you can just configure Owncloud's PAM module to use SSSD on an IPA
client and SSSD will do the authentication of AD users for you.

HTH

bye,
Sumit

> 
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to