On Fri, 18 Dec 2009 12:31:44 -0500
Dan Scott <danieljamessc...@gmail.com> wrote:

> So clients in A.EXAMPLE.COM should be able to authenticate to
> C.B.EXAMPLE.COM, but not the other way around (This is how I would
> like it setup).
> However, this does not appear to work. I assume that I need to add
> some entries to the LDAP server as well? Does anyone know if this is
> true and if so, how I should go about it?

There are 2 things to consider when cross realm trust are involved.
1. certainly a correct setup so that clients can successfully perform
authentication. See Nalin remarks on that.

2. The second is that in order to login on a system you need, not only
a successful authentication but an actual user (with uid,gid,home,shell
info) the system can associate to your successful authentication.
Unless you are interested only in something like http auth which can
work w/o real system users.
This second part requires a way to provide the other realm users
to your system. At the moment we do not have any automated mechanism in
FreeIPA itself or in the client to provide that. We will work on these
features next year.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to