On Mon, 2014-03-03 at 18:42 -0600, Trey Dockendorf wrote: > Is it possible with FreeIPA to use an external KDC or pass some or all > authentication to an external KDC? The KDC at our University may give > me a one way trust if I describe my implementation plan for FreeIPA. > Currently I use 389DS with PAM pass through using untrusted pam_krb5. > I'd like to fully utilize FreeIPA without managing passwords since all > my users already have University accounts. I just want to manage > authorization for my systems, not authentication.
You could set up a kerberos trust manually but at the moment we do not support it in the code or the utilities. SSSD in particular will have no place to find identity information if all you have is a kerberos trust, you'd need also an external identity store to point to, but there is no builtin code in SSSD to link the 2 domain at this point. We are planning on working on IPA-to-IPA trust, and possibly IPA-to-*other* so any requirements you can throw at us will be made part of the consideration and planning to add this kind of functionality in the future. NM B HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users