we are investigating the possibility to use an existing and valid AD
token to obtain a token from a realm under FreeIPA (3.3.3 from el7),
without having to setup the full IPA AD cross realm trust. (in
particular, to avoid that AD has to trust the IPA setup; and with the
goal that we can minimise any required actions on the AD setup).
what we would like to achieve is the following:
--- authenticate via AD password
-- no password required, authentication based on valid AD token
so one can then eg "ssh otherusern...@machine.under.ipa.control"
the user@AD to otherusername@IPA mapping is provided somewhere on the
IPA server and is static.
as far as i understood, this is (very?) different from actual trust
relation where having the user@AD token is sufficient to do "ssh
any hints are welcome!
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project