On 06/20/2013 05:35 PM, Brian Wheeler wrote:
> Hello!
> So here's the situation I'm in.  The university has its AD domain
> locked down pretty tight -- getting  a trust is out of the question,
> creating new users isn't allowed, and they seem to have no interest in
> supporting linux management.
> I'd like to be able to leverage the AD kerberos server but manage
> users locally.
> So here's what I'm thinking about doing:  putting my site users/groups
> and copies of the relevant AD users into IPA.  The site users would
> have UIDs > 1 billion and the users from AD would have whatever
> unixuid attribute they have (only the uid is stored in AD -- they
> didn't do a full posix setup).  The IDs will not conflict with each
> other, so I'm set there.
> I'd have two entries in sssd.conf:  one entry would have a min/max id
> matching the AD users and the other would be 1 billion+ to match the
> local users/groups.  The AD range would use the university's AD
> kerberos for authentication and IPA for everything else.  The other
> would use IPA normally.
> I was able to get this working successfully when setting up 389
> manually by using two nearly identical configs in sssd and making the
> AD one resolve first, but I can't seem to figure out the magic chant
> for making it work with IPA.
> So, is something like this even possible?  Is there a better way to be
> able to use IPA and stay out of the password business for the real
> users of my system?  If it comes down to it, I'll manually set up 389
> and do it the way I prototyped it, but I'd really like to have
> something resembling a "standard" build.  This is all on RHEL6.  If a
> newer version of IPA is required I'd be ok with installing it.
> Brian
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Was there any help provided here?

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to