On 09/13/2014 05:27 PM, Gregor Bregenzer wrote:
Hi!

There are two ways that you can use to integrate FreeIPA with AD: a.)
trust b.) synchronization  Here are the pros/cons for both of them:
http://www.freeipa.org/docs/master/html-desktop/index.html#trust-sync

If you want to manage POSIX attributes for each user can do that with
either identity management for Unix at AD using the trust, or with the
synchronzation at FreeIPA. With synchronization you see the users to
in FreeIPA, but still have to two users to manage - in FreeIPA and AD.
With the AD trust the sssd daemon running on FreeIPA is proxying all
request from the client sssd directly to AD
This is not exactly true. SSSD understands that IPA and AD are in trust relations. If you use user name and password to login SSSD will turn to AD directly without sending password over the wire. If you SSO into the linux box the kerberos library (on you windows client) will do all the ticket acquisition and redirects.

The proxy is already done for older clients that does not understand that IPA is in trust relations with AD.
http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf

, so you see no users in
FreeIPA, but you have to extend the AD schema using Identity
Management for unix.

You really have two options: let SSSD to map users dynamically, in this case you do not need AD schema extensions or you can extend schema as suggested.
The third option that is under development is described in my other reply.

Also the password policy from the group policy in
AD is used when you use the AD trust, but on clients with sssd you can
change the password using kpasswd from Kerberos. If you want to use a
trust with AD and want to receive the correct GID set in AD then you
have to use sssd >1.9.x, otherwise you get a different GID (see
https://www.redhat.com/archives/freeipa-users/2014-September/msg00192.html)

All other stuff such as HBAC etc. can be centrally managed on FreeIPA,
no matter if you use a trust or synchronzation.

Gregor

2014-09-13 22:03 GMT+02:00 Traiano Welcome <trai...@gmail.com>:
Hi List

Currently I have a stable trust relationship going between IPA and Windows
AD. I create users and manage passwords in AD, but want to manage the rest
in IPA, "the rest" being default shell, default home directory settings,
RBAC, HBAC, Selinux  etc ..

What I'm expecting it to be able to log into the FreeIPA web interface, and
see a synched list of users created in AD appear in the interface, after
which I can modify the settings on a per user basis.

If that level of granularity is not possible, I would then expect to be able
to at least apply an IPA-imposed set of account defaults on and AD user
group:

- default shell
- HBAC rules
- Sudo rules
- SELinux rules
- RBAC

Is this possible with FreeIPA? I can't find anything coherent in the
documentation that describes an effective way of managing the POSIX
attributes of AD users in FreeIPA.

Thanks in advance!
Traiano




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to