On 03/22/2014 01:18 PM, Arthur wrote:
Dmitri Pal wrote:
On 03/20/2014 11:15 PM, Arthur Faizullin wrote:
HI!
I've got some thoughts on 4-th point: there is a http://pgina.org/ pgina
project, may be them are able to do such thing.


Yes pgina is one of the options.
Someone would have to take it and integrate with MIT Kerberos for Windows if it is not already doing so. But I suspect that it would be more a project in itself that would leverage code from MIT and may be pgina to integrate different parts. The biggest part figuring out the domain affiliation. I mean the use cases like this: a) The system is domainless but user authentictaes with user name and password against IPA b) The system is domainless but user authentictaes with user name and OTP against IPA c) The system is in an AD domain trusted by IdM domain but user authenticates with user name and password against IPA because he is in IdM domain. d) The system is in an AD domain trusted by IdM domain but user authenticates with user name and password against IPA because he is in IdM domain.

More to research. We can help with guidance if someone wants to run with it.

Thanks
Dmitri


20.02.2014 04:23, Dmitri Pal пишет:
Hello,

I want to summarize our position regarding joining Windows systems
into IPA.

1) If you already have AD we recommend using this system with AD and
using trusts between AD and IPA.
2) If you do not have AD then use Samba 4 instead of it. It would be
great when Samba 4 grows capability to establish trusts. Right now it
can't but there is an effort going on. If you are interested - please
contribute.
3) If neither of the two options work for you you can configure
Windows system to work directly with IPA as described on the wiki. It
is an option of last resort because IPA does not provide the services
windows client expects. If this is good enough for you, fine by us.
4) Build a native Windows client (cred provider) for IPA using latest
Kerberos. IMO this would be really useful if someone does that because
we will not build this ourselves. With the native OTP support in IPA
it becomes a real business opportunity to provide a native 2FA inside
enterprise across multiple platforms. But please do it open source way
otherwise we would not recommend you ;-)


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


My friend agreed to try. He is C# programmer. But the problem that has low knowledge about kerberos, GSSAPI, and I could not told him what is wrong with current pgina's ldap plugin. He does not want to subscribe to freeipa mail-lists, so may be I shall give him your (Dmitri) e-mail?
He speaks russian :)


List is really the way to develop open source software collaboratively. This is what we are doing here. We can agree that the communication about the topic will be prefixed in such a way that he can create a filter so that he would get only mails that match the filter.
Would that work?

I am not sure that I would be able to provide all the support. We are a community here and we have different roles and angles. Working with just one person would not fly, sorry.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to