If you have PAM Kerberos auth working, you should be able to use PAM Pass thru. I don't know the details though, but I do know that this is one of the primary use cases, to allow simple bind (username/password auth) clients to use their kerberos password.Dear FreeIPA community,I have a bunch of requirements that I am looking forward from ipa-server. Please clarify if these are possibleBackground: We are planning to deploy 389-ds(formerly Fedora DS) as our core ldap server in a Multi-Master Replication scenario. We will be having set of slave server to cater at different locations. We want to integrate password authentication with MS Active Directory. 389-DS offers PAM Pass-thru plugin, but it has been quite difficult to configure the parameters and kerberos to get that working. Some of the features I am looking are1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active Directory for password.
The IPA winsync plugin will add missing posix attributes when syncing a new user entry from AD to IPA. It will not keep them in sync.1. 2. Syncing new users automatically between AD and 389-ds including UNIX attributes in AD(after installing SFU 3.5). Though Windows Sync agreement does it, we are looking on a finer control over the OU’s and objectclass/attributes imported.
1. 2. Password change in unix world reflect on AD,
Yes. IPA winsync will sync password changes from IPA to AD.
1. 2. Netgroups, adding hosts to the Directory server and have a inventory withhostname and IP address and/or perform basic host tasks.
Winsync will not sync the netgroups schema.
1. 2. Create ACI’s such that support team has only access to create ldap accounts and update group memberships. 3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0? Any issues anticipated?I am still going through the vast Admin Guide, release notes, user config guide to get these answers and know more. Also let me know if it is worth waiting till 2.0Thanks, Prashanth
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users