Hi Dimitri,

>Just to be sure I understand.
>You have internal users - they are in AD. You have external users - they are 
>in LDAP.
>You merge two directories and you want to replace this setup with IPA.


>It seems that to support your use case you would need to make the external 
>users be IPA users and make AD and IPA trust each other.

I think I concur about migrating my external users into IPA and making IPA 
trust AD. I may be ignorant of some AD nuance, but I do not see why AD needs to 
trust IPA. AD does not need to trust my LDAP clients currently.

>Also if external users do not authenticate using Kerberos (for example they 
>always use a special portal) then it does not matter what trust is between AD 
>and IPA because those users will not have kerberos tickets that are leveraged 
>in SSO in trust case.

I want to be able to point either an LDAP or a Kerberos client at IPA, and have 
it authenticate my "enterprise" and "external" users for me. I'm not going to 
tangle with SSO at the moment. Right now, we're just establishing an identity 

>IPA can trust AD. Formally it is a mutual trust but in reality IPA does not 
>have global catalog support for users in IPA to be able to access the 
>resources in AD.

In many of the tutorials/HOWTOs, I see that there is a requirement to provide 
credentials having the permission to add a computer to the domain, or being a 
member of an AD administration group. I'm a lowly standard "User" in the AD. I 
don't know if that means I can add a computer to the domain or not. I know I 
lack the ability to edit AD entries that aren't mine, so I really need a 
solution that does not require creating a trust relationship inside AD.

Is there a way for me to comment out the AD->IPA trust creation, or would that 
break the IPA->AD trust?

Thanks much,

This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 

Freeipa-users mailing list

Reply via email to