On 06/18/2012 08:49 AM, Brian Wheeler wrote:
Hello
I'm a sysadmin at a smallish department at my university. We're
investigating FreeIPA to replace our homegrown openldap/perl script
user management stuff. The difficulty we're facing is that university
has standardized on Active Directory and they've got it pretty well
locked down. We currently use the university's kerberos for
authentication and our openldap instance to store user/group data.
When we create a new user a perl script copies the relevant data from
AD via an authenticated ldap bind since they do not support anonymous
binds. For groups we just maintain the ones within our ldap
environment (AD groups are never copied). For hosts we have a private
network that we use nss_ldap to look up hosts and then fall back to
the university's DNS.
All of the documentation that I've been able to find on FreeIPA seem
to assume that the people setting up FreeIPA have full access to AD
and can modify the structure/security settings.
Not exactly. What documentation are you talking about?
For IPA Windows Sync, IPA needs to be able to use the DirSync control
provided by AD.
http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx
IPA needs the Bind DN and password of an AD user with the rights
specified in that document.
For IPA to get passwords sync'd from AD, you need to install the
PassSync.msi on all of your domain controllers.
This is not the case for us since a different group handles it and due
to the vastness of the university they are reluctant to make any changes.
Is there any way to integrate FreeIPA into an environment such as ours
or am I going to have to continue with my homegrown way of doing things?
Thanks!
Brian Wheeler
System Administrator
Digital Library Program
Indiana University
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users