On 01/13/2014 06:29 PM, Nordgren, Bryce L -FS wrote:
> Hello,
> I manage a suite of machines and services which are used for
> collaborative projects with external partners. I want to allow users
> within our organization to authenticate with their existing Active
> Directory accounts, and I have set up an "External Users" LDAP
> directory to establish identities for our partners. I have an LDAP
> server set up which merges the two directories and which forwards
> requests on to the correct directory.
> I like the idea of FreeIPA, however, I need support for a one-way
> trust. I don't have the ability to modify any entries in our AD
> server, but I do have a normal user account (hence I can bind to AD's
> LDAP interface). However, I think this is kind of  a moot point since
> external users should under no circumstances be allowed access to our
> internal network/services. Read-only access to AD is just peachy. I
> found this old message (June 2012) on your mailing list which suggests
> one-way trusts may be on your radar. [1] However, I looked through
> your Trac tickets and didn't see any follow up. Did I miss something?
> Is this already implemented, or are plans in place?

Just to be sure I understand.
You have internal users - they are in AD. You have external users - they
are in LDAP.
You merge two directories and you want to replace this setup with IPA.

IPA can trust AD. Formally it is a mutual trust but in reality IPA does
not have global catalog support for users in IPA to be able to access
the resources in AD. So it is one way trust due to limited
functionality. The global catalog support is being worked on. As soon as
it is implemented we will add more granularity to the way the trusts are
established and thus allow formal one way trusts.

It seems that to support your use case you would need to make the
external users be IPA users and make AD and IPA trust each other. Also
if external users do not authenticate using Kerberos (for example they
always use a special portal) then it does not matter what trust is
between AD and IPA because those users will not have kerberos tickets
that are leveraged in SSO in trust case.


> Thanks much,
> Bryce
> [1] https://www.redhat.com/archives/freeipa-users/2012-June/msg00206.html
> This electronic message contains information generated by the USDA
> solely for the intended recipients. Any unauthorized interception of
> this message or the use or disclosure of the information it contains
> may violate the law and subject the violator to civil or criminal
> penalties. If you believe you have received this message in error,
> please notify the sender and delete the email immediately.
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to