hi all,

we are investigating the possibility to use an existing and valid AD token to obtain a token from a realm under FreeIPA (3.3.3 from el7), without having to setup the full IPA AD cross realm trust. (in particular, to avoid that AD has to trust the IPA setup; and with the goal that we can minimise any required actions on the AD setup).


what we would like to achieve is the following:
kinit user@AD
--- authenticate via AD password

kinit otherusername@IPA
-- no password required, authentication based on valid AD token

so one can then eg "ssh otherusern...@machine.under.ipa.control"

the user@AD to otherusername@IPA mapping is provided somewhere on the IPA server and is static.

as far as i understood, this is (very?) different from actual trust relation where having the user@AD token is sufficient to do "ssh otherusern...@machine.under.ipa.control".


any hints are welcome!

stijn

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to