Hey guys,

Back again. Thanks for your responses so far.

OTP is interesting, but requires that an account be created in the local 
domain, which is kind of opposed to the notion of federated identities.

Ipsilon is also interesting, from its description as a gateway to non-Kerberos 
identitiy providers. I have not located much information about it, though.

I've taken a couple of days to put together an RFE with three use cases and 
tons of pictures. It locally maintains user attributes in LDAP without creating 
a corresponding authentication principal in Kerberos. It offers a little more 
flexibility for integrating AD users to an IPA managed POSIX realm without 
conflicting with the existing method. It also makes possible the management of 
inter-organizational cross realm operation using PKINIT. Finally, it describes 
an interface between the IPA server and Ipsilon (or any identity gateway), and 
a mechanism by which Ipsilon may acquire TGTs for the local realm on behalf of 
clients who authenticate via remote, non-Kerberos identity providers. This last 
workflow is generic and supports methods other than a web-browser.

Please take a look and help me improve it. Also pls educate me out of any 
mistakes you detect. Part of the reason for doing this is for me to make sure I 
learned Kerberos concepts correctly.



This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 

Freeipa-users mailing list

Reply via email to