On 9/21/09 12:56 PM, "Rich Megginson" <rmegg...@redhat.com> wrote:
>> Dear FreeIPA community,
>> I have a bunch of requirements that I am looking forward from
>> ipa-server. Please clarify if these are possible
>> Background: We are planning to deploy 389-ds(formerly Fedora DS) as
>> our core ldap server in a Multi-Master Replication scenario. We will
>> be having set of slave server to cater at different locations. We want
>> to integrate password authentication with MS Active Directory. 389-DS
>> offers PAM Pass-thru plugin, but it has been quite difficult to
>> configure the parameters and kerberos to get that working. Some of the
>> features I am looking are
>> 1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active
>> Directory for password.
> If you have PAM Kerberos auth working, you should be able to use PAM
> Pass thru. I don't know the details though, but I do know that this is
> one of the primary use cases, to allow simple bind (username/password
> auth) clients to use their kerberos password.
Isn't IPA creating its own Kerberos/kdc server? For my setup, AD is the
kerberos server and I want 389-ds to query the AD for password. I do not
want to configure kerberos on 389-ds or do I have to do that anyway?.
So If I am right, for 389-ds and AD to communicate and exchange data they
both need to be Kerb servers? If that is then do client unix machines need
to be configured with krb5.conf?
I am following the HowToKerberos from 389-ds, where you generate the keytab
in Windows and register it in DS server.
I haven't seen a case scenario in documentation where PAM Passthru is
implemented with AD. And how the Krb5 is configured.
>> 2. Syncing new users automatically between AD and 389-ds including
>> UNIX attributes in AD(after installing SFU 3.5). Though Windows
>> Sync agreement does it, we are looking on a finer control over
>> the OU¹s and objectclass/attributes imported.
> The IPA winsync plugin will add missing posix attributes when syncing a
> new user entry from AD to IPA. It will not keep them in sync.
Is this same as passsync.msi plugin? We are using Windows server 2008
64-bit. Do we have it compatible? How can I setup IPA for the above
>> 2. Password change in unix world reflect on AD,
> Yes. IPA winsync will sync password changes from IPA to AD.
Is this a case where,
>> 2. Netgroups, adding hosts to the Directory server and have a
>> inventory withhostname and IP address and/or perform basic host
> Winsync will not sync the netgroups schema.
I wanted the unix hosts to be shown in 389-ds. Just like Windows boxes are
joined to AD.
>> 2. Create ACI¹s such that support team has only access to create
>> ldap accounts and update group memberships.
>> 3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0?
>> Any issues anticipated?
>> I am still going through the vast Admin Guide, release notes, user
>> config guide to get these answers and know more. Also let me know if
>> it is worth waiting till 2.0
> Freeipa-users mailing list
Freeipa-users mailing list