We currently use (Free)IPA (what's provided by Redhat) in a forest trust relationship with our Active Directory domains. All accounts are defined in AD with the necessary POSIX attributes. The only things locally defined within IPA are the automounter maps, sudo rules, and HBAC rules. (I must say, these HBAC rules work rather nicely!)
A research group wants to create their own OU in AD to manage and rely on AD for authentication. Centralized sudo rule configuration is also important to them. They would like to have internal DNS for their lab of entirely Linux machines so that these systems are more easily accessible from within the lab instead of relying exclusively on IP addresses. (We use Infoblox for centralized DNS, but since this is a private lab, there's a question as to whether to leverage our Infoblox DNS or to use DNS in their own IPA instance.) On one hand, it makes sense to set them up using IPA. If so, would these servers be in a sub-domain of the central IPA? They would need to be able to manage this instance of IPA, but we would not want them to have admin rights on the central IPA servers. Under this scenario, would the trust to AD remain? I'm fairly comfortable with the principles behind IPA, but only so far as we're talking about the global environment. Setting things up in semi-connected labs like this would be new to us, at least since we moved to IPA. There is some pressure to have their lab bind directly to AD. I pointed out that currently there would be no way to centrally manage the sudo rules. However, we're also currently considering adding the sudo schema to AD, which if we did, might take care of that. So, I'm just trying to wrap my head around all the possible approaches and weigh the pros and cons with either approach. Any insight would be greatly appreciated. Thanks.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
