On 03/03/2014 07:47 PM, Simo Sorce wrote:
On Mon, 2014-03-03 at 18:42 -0600, Trey Dockendorf wrote:
Is it possible with FreeIPA to use an external KDC or pass some or all
authentication to an external KDC?  The KDC at our University may give
me a one way trust if I describe my implementation plan for FreeIPA.
Currently I use 389DS with PAM pass through using untrusted pam_krb5.
I'd like to fully utilize FreeIPA without managing passwords since all
my users already have University accounts.  I just want to manage
authorization for my systems, not authentication.
You could set up a kerberos trust manually but at the moment we do not
support it in the code or the utilities.

SSSD in particular will have no place to find identity information if
all you have is a kerberos trust, you'd need also an external identity
store to point to, but there is no builtin code in SSSD to link the 2
domain at this point.

We are planning on working on IPA-to-IPA trust, and possibly
IPA-to-*other* so any requirements you can throw at us will be made part
of the consideration and planning to add this kind of functionality in
the future.


Can you describe your workflows because I have some idea in mind?
Would you be OK if your accounts would be in IPA but the authentication would be proxied out?

The idea is that you can use OTP RADIUS capability to proxy passwords to your main KDC.

client ---OTP---> IPA ---> OTP Proxy ---> RADIUS ---> Your KDC

Disclaimer: that would defeat the purpose of Kerberos and the password will be sent over the wire but it seems that you are already in this setup.

Would you be interested to give it a try?
Would require latest SSSD and kerberos library on the client though but would work with LDAP binds too.

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to