> We are evaluating RHEL7 IdM (FreeIPA 3.3) for identity management for our
> UNIX infrastructure. All of our Linux hosts currently have standard and
> consistent UID/GIDs for at least all of our administrative users. I'm looking
> for advice on how to migrate these users into IPA.
> Eventually we plan to configure a kerberos trust with our AD domain where
> we could configure these UID/GIDs via AD's POSIX UID/GID settings.
So if I understand this right, you're planning on two back to back user
migrations? First is local->FreeIPA, then eventually FreeIPA->AD? Are your
current "local" users coincidentally the same as your current AD users?
I'm probably a bad example. I centralized authentication for web apps about
four years ago. I'm adopting FreeIPA because my desktops are "every machine for
itself". I have the same username everywhere, but UIDs/GIDs are uncoordinated.
More important to me is the fact that my passwords are related to whatever was
in vogue when I set up the machine, and the machines were set up any time from
this month to ten years ago. Converting to FreeIPA happened because I started
thinking of my little domain as a place to manage collections of desktops
instead of just collections of web applications.
I'm also feverishly trying to setup an isolation layer between myself and AD,
because my CIO is migrating from an "agency" directory to a "department"
directory, with users migrating in batches not aligned to the projects I
support. The isolation layer also allows me to continue to form groups composed
of both AD and FreeIPA users, allows me to supplement or override user
attributes for the local environment, and (cross-fingers) will allow for NFS
file sharing with kerberos authenticated principals from more than one realm
(assuming the Kerberos trust comes thru). Four birds with one stone.
This electronic message contains information generated by the USDA solely for
the intended recipients. Any unauthorized interception of this message or the
use or disclosure of the information it contains may violate the law and
subject the violator to civil or criminal penalties. If you believe you have
received this message in error, please notify the sender and delete the email
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project