On Fri, 30 May 2014, tizo wrote:
On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal <d...@redhat.com> wrote:

 On 05/30/2014 05:00 PM, tizo wrote:


    From: Alexander Bokovoy <abokovoy redhat com>
    To: Sumit Bose <sbose redhat com>
    Cc: freeipa-users redhat com
    Subject: Re: [Freeipa-users] Trust services
    Date: Thu, 29 May 2014 02:47:38 -0400 (EDT)

----- Original Message -----
> On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote:
> > I would like to know, if having configured trusts services between
FreeIPA
> > and Active Directory, allow AD users to authenticate in services that
are
> > only configured to authenticate against FreeIPA.
> >
> > For example, having configured the trusts, if I have a mail server
that is
> > using FreeIPA as its authentication method, can a user A from Active
> > Directory, who does not exist in FreeIPA, authenticate in the mail
server?.
>
> It depends a bit on how the users authenticate exactly because IPA
> offers Kerberos and LDAP authentication.
>
> Kerberos should work out of the box because thats one of the trusts
> components, trusting Kerberos tickets from the other domain/realm.
>
> For LDAP authentication you should be able to find the users from the
> trusted domain in the compat tree below
> cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can
> do a LDAP bind with the DN form the compat tree and the password used in
> AD.
Please note that the latter is valid only for FreeIPA 3.3 and later.
FreeIPA 3.0 does not support authentication over LDAP in the compat tree.
--
/ Alexander Bokovoy

 Ok. I will definitively use Kerberos. But looking at the diagram of page
22 in
http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf
I see that SSSD in the GNU/Linux host is authenticating against both Active
Directory and FreeIPA. Does the email server that I mentioned before, have
to be configured in a similar way that SSSD in the GNU/Linux host of the
example? Or is just enough that it is configured against the FreeIPA
Kerberos and nothing else?.


You configure client (SSSD) to point to IPA but it will discover that IPA
is in trust relations and would know how to deal with tickets coming from
AD side.
This is why there are two arrows. They show communication.


Ok. And what about a mail server?. We are planning to use Zimbra, and we
want that users from both FreeIPA and AD use it. Could we just configure it
to authenticate against FreeIPA Kerberos?. Or do we have to make something
else?.
Here is the howto for Zimbra/FreeIPA LDAP integration:
http://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA

Note that Zimbra 8.0 does support Kerberos authentication through web
interface but instructions outlined in Appendix B of the Zimbra Admin
Guide only cover the case of using Active Directory to set up services
and keytabs. It should be relatively simple to translate that one to use
of FreeIPA; if someone does so, please extend the page on freeipa.org to
cover Kerberos details.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to