On 06/20/2013 05:35 PM, Brian Wheeler wrote:
> So here's the situation I'm in. The university has its AD domain
> locked down pretty tight -- getting a trust is out of the question,
> creating new users isn't allowed, and they seem to have no interest in
> supporting linux management.
> I'd like to be able to leverage the AD kerberos server but manage
> users locally.
> So here's what I'm thinking about doing: putting my site users/groups
> and copies of the relevant AD users into IPA. The site users would
> have UIDs > 1 billion and the users from AD would have whatever
> unixuid attribute they have (only the uid is stored in AD -- they
> didn't do a full posix setup). The IDs will not conflict with each
> other, so I'm set there.
> I'd have two entries in sssd.conf: one entry would have a min/max id
> matching the AD users and the other would be 1 billion+ to match the
> local users/groups. The AD range would use the university's AD
> kerberos for authentication and IPA for everything else. The other
> would use IPA normally.
> I was able to get this working successfully when setting up 389
> manually by using two nearly identical configs in sssd and making the
> AD one resolve first, but I can't seem to figure out the magic chant
> for making it work with IPA.
> So, is something like this even possible? Is there a better way to be
> able to use IPA and stay out of the password business for the real
> users of my system? If it comes down to it, I'll manually set up 389
> and do it the way I prototyped it, but I'd really like to have
> something resembling a "standard" build. This is all on RHEL6. If a
> newer version of IPA is required I'd be ok with installing it.
> Freeipa-users mailing list
Was there any help provided here?
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list