> We are evaluating RHEL7 IdM (FreeIPA 3.3) for identity management for our
> UNIX infrastructure.  All of our Linux hosts currently have standard and
> consistent UID/GIDs for at least all of our administrative users.  I'm looking
> for advice on how to migrate these users into IPA.
>...
> Eventually we plan to configure a kerberos trust with our AD domain where
> we could configure these UID/GIDs via AD's POSIX UID/GID settings.

So if I understand this right, you're planning on two back to back user 
migrations? First is local->FreeIPA, then eventually FreeIPA->AD? Are your 
current "local" users coincidentally the same as your current AD users?

I'm probably a bad example. I centralized authentication for web apps about 
four years ago. I'm adopting FreeIPA because my desktops are "every machine for 
itself". I have the same username everywhere, but UIDs/GIDs are uncoordinated. 
More important to me is the fact that my passwords are related to whatever was 
in vogue when I set up the machine, and the machines were set up any time from 
this month to ten years ago. Converting to FreeIPA happened because I started 
thinking of my little domain as a place to manage collections of desktops 
instead of just collections of web applications.

I'm also feverishly trying to setup an isolation layer between myself and AD, 
because my CIO is migrating from an "agency" directory to a "department" 
directory, with users migrating in batches not aligned to the projects I 
support. The isolation layer also allows me to continue to form groups composed 
of both AD and FreeIPA users, allows me to supplement or override user 
attributes for the local environment, and (cross-fingers) will allow for NFS 
file sharing with kerberos authenticated principals from more than one realm 
(assuming the Kerberos trust comes thru). Four birds with one stone.

Bryce




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to