On Tue, Nov 21, 2017 at 08:14:49AM -0500, Rob Crittenden via FreeIPA-users wrote: > Николай Савельев via FreeIPA-users wrote: > > Hi. > > I asked about Owncloud, Zimbra, etc autentification in freeipa with AD > > trust. > > I was offered to use SAML. > > But I dont undestand SAML. It very dificult for me. > > I only want use LDAP for autentification as in this artikle > > https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA > > Or this > > https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA > > > > Articles work fine but only for freeipa users. It dont work for AD users > > from trusted domain. > > > > I found Red Hat documentation for sinchronising AD with IPA > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory > > > > If i do it i can see AD user in ldap requests for ipa server? > > > > If you do winsync instead of AD trust then yes, the AD entries will > reside in the IPA LDAP server. > > For passwords to work you'll need to install the passsync service on > every AD DC and any AD user that you want to authenticate will need to > reset their password for it work work when authenticating against IPA. > > I agree that SAML can be confusing and difficult but IMHO it is a far, > far better path than co-mingling your AD and IPA entries using winsync. > winsync is not recommended.
I think the better reference in the documentation is https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-legacy If there is a trust to an AD forest and 'ipa-adtrust-install --enable-compat' was called. there will be a special sub-tree in FreeIPA's LDAP tree cn=compat,dc=ipa,dc=domain. AD user can be searched in this sub-tree and if the user was found you can the the DN of the user to bind to FreeIPA's LDAP server with the AD password. Btw, I guess Owncloud supports PAM authentication as well, in this case you can just configure Owncloud's PAM module to use SSSD on an IPA client and SSSD will do the authentication of AD users for you. HTH bye, Sumit > > rob > _______________________________________________ > FreeIPA-users mailing list -- email@example.com > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org