On 05/30/2014 08:23 PM, tizo wrote:

On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 05/30/2014 05:00 PM, tizo wrote:

        From: Alexander Bokovoy <abokovoy redhat com>
        To: Sumit Bose <sbose redhat com>
        Cc: freeipa-users redhat com
        Subject: Re: [Freeipa-users] Trust services
        Date: Thu, 29 May 2014 02:47:38 -0400 (EDT)

    ----- Original Message -----
    > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote:
    > > I would like to know, if having configured trusts services
    between FreeIPA
    > > and Active Directory, allow AD users to authenticate in
    services that are
    > > only configured to authenticate against FreeIPA.
    > >
    > > For example, having configured the trusts, if I have a mail
    server that is
    > > using FreeIPA as its authentication method, can a user A from
    > > Directory, who does not exist in FreeIPA, authenticate in the
    mail server?.
    > It depends a bit on how the users authenticate exactly because IPA
    > offers Kerberos and LDAP authentication.
    > Kerberos should work out of the box because thats one of the trusts
    > components, trusting Kerberos tickets from the other domain/realm.
    > For LDAP authentication you should be able to find the users
    from the
    > trusted domain in the compat tree below
    > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user
    you can
    > do a LDAP bind with the DN form the compat tree and the
    password used in
    > AD.
    Please note that the latter is valid only for FreeIPA 3.3 and later.
    FreeIPA 3.0 does not support authentication over LDAP in the
    compat tree.
-- / Alexander Bokovoy

    Ok. I will definitively use Kerberos. But looking at the diagram
    of page 22 in
    I see that SSSD in the GNU/Linux host is authenticating against
    both Active Directory and FreeIPA. Does the email server that I
    mentioned before, have to be configured in a similar way that
    SSSD in the GNU/Linux host of the example? Or is just enough that
    it is configured against the FreeIPA Kerberos and nothing else?.

    You configure client (SSSD) to point to IPA but it will discover
    that IPA is in trust relations and would know how to deal with
    tickets coming from AD side.
    This is why there are two arrows. They show communication.

Ok. And what about a mail server?. We are planning to use Zimbra, and we want that users from both FreeIPA and AD use it. Could we just configure it to authenticate against FreeIPA Kerberos?. Or do we have to make something else?.
How do you plan to configure it? How can it be configured?
I assume we are talking about Zimbra web interface, right?

If Zimbra natively supports Kerberos then I would
1) Make Zimbra host system a member of the IPA domain
2) Make Zimbra a Kerberos service in IPA domain
3) Configure mod_auth_kerb or equivalent capbility for Zimbra to accept Kerberos tickets 4) Configure Zimbra to get account information from IPA compat tree - this way AD and IPA users will be available to it via LDAP 5) In case there is no ticket Zimbra would prompt user for user name and password and bind against IPA compat tree thus allowing authentication for IPA and trusted users.

In future when the world is old and wise I hope something like this [1] would be possible with Zimbra too.

[1] http://www.freeipa.org/page/Web_App_Authentication

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Freeipa-users mailing list

Reply via email to