From: Alexander Bokovoy <abokovoy redhat com>
    To: Sumit Bose <sbose redhat com>
    Cc: freeipa-users redhat com
    Subject: Re: [Freeipa-users] Trust services
    Date: Thu, 29 May 2014 02:47:38 -0400 (EDT)

----- Original Message -----
> On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote:
> > I would like to know, if having configured trusts services between
FreeIPA
> > and Active Directory, allow AD users to authenticate in services that
are
> > only configured to authenticate against FreeIPA.
> >
> > For example, having configured the trusts, if I have a mail server that
is
> > using FreeIPA as its authentication method, can a user A from Active
> > Directory, who does not exist in FreeIPA, authenticate in the mail
server?.
>
> It depends a bit on how the users authenticate exactly because IPA
> offers Kerberos and LDAP authentication.
>
> Kerberos should work out of the box because thats one of the trusts
> components, trusting Kerberos tickets from the other domain/realm.
>
> For LDAP authentication you should be able to find the users from the
> trusted domain in the compat tree below
> cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can
> do a LDAP bind with the DN form the compat tree and the password used in
> AD.
Please note that the latter is valid only for FreeIPA 3.3 and later.
FreeIPA 3.0 does not support authentication over LDAP in the compat tree.
-- 
/ Alexander Bokovoy

Ok. I will definitively use Kerberos. But looking at the diagram of page 22
in
http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf
I see that SSSD in the GNU/Linux host is authenticating against both Active
Directory and FreeIPA. Does the email server that I mentioned before, have
to be configured in a similar way that SSSD in the GNU/Linux host of the
example? Or is just enough that it is configured against the FreeIPA
Kerberos and nothing else?.

Thanks very much.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to