> Both AD integration solutions we have (synchronization and
> cross-forest domain trusts) assume having higher level access
> privileges at the time integration is set up.

My problem here is that I'm too ignorable. :) There's over 15000 users in our 
AD; I'm in Montana, the admins are in DC. Worse, our agency's AD is being 
absorbed into the next level up the chain (Forest Service AD is going to become 
a part of the overall USDA AD). Then I'm an even smaller fish, relatively 

> I'm unaware of other
> mechanisms that would give you the same flexibility and level of
> privilege separation between the AD and IPA domains.

?? The current solution using the LDAP interface to AD (and a metadirectory to 
merge "external users") provides privilege separation and the flexibility to 
add external users. I don't need more; I just need it to be less clunky. It 
weakens security, of course, as my AD password is stored in various plaintext 
configuration files for each application needing binding credentials to search 
for users in AD. I also have an index to which files contain my password, as it 
forms a "password-change-checklist" which I need to run thru every 60 days.

If I might try to repeat the problem back to you to see if I got it right...the 
factor which requires access to the corporate AD is setting up a Kerberos cross 
realm trust. This is required so that machines in IPA can connect directly to 
AD for authentication. This in turn is necessary so that identities in the AD 
Kerberos Realm are correctly and consistently identified as being sourced from 
AD. And of course, this requirement is necessary for services in AD to 
recognize users and groups in AD.

Let me ask what is probably a series of dumb questions: What do I lose if my 
FreeIPA server is set up as one of the 10 machines I can join to the network as 
a regular user, and all the machines in IPA connect directly to IPA? Could 
FreeIPA (current or future) be configured to relay the credentials to AD either 
via Kerberos or using AD's LDAP interface (binding as itself because it's 
joined to the AD domain)?  If AD accepts the provided credentials can FreeIPA 
issue the user a ticket in the FreeIPA realm? Would this look to AD like a 
bunch of users are logging into the FreeIPA server machine?

I know this arrangement would sacrifice access to any of the AD services by 
AD-users-on-the-IPA network. That's fine. If it's technically feasible, tho, it 
gives me one server that can authenticate both "corporate users" and "external 
users", and a central administration point for the external network. It also 
plainly differentiates between corporate users logged in on the corporate 
network, and corporate users logged in on the "external network". I'd consider 
that a good thing. Finally, if this is possible, it seems to me that this 
stands a chance of reducing the number of places my password is stored in 


This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 

Freeipa-users mailing list

Reply via email to