On 01/29/2015 06:19 PM, Steven Jones wrote:
Where is this at? ie is the above a supported configuration?
Supported.
So will passync and winsync work OK?
Yes
Will trusts?
Yes
Will they work together?
Only during migration.
There is a migration strategy.
http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
So ideally I'd like to use winsync and passsync to provision users
from AD to IPA. Then in specific low security situations use trusts to
grant access. So for low security instances eg a user on a windows
or linux desktop can login with one password.
I am not sure I follow.
With trust you have a single user entry in AD and even if a Linux system
is connected to IPA the user logging into it will authenticate against
AD but it will be IPA that will define whether this user can access this
system. It will be defined via HBAC rules.
So whether you use trust or sync the access control is orthogonal and
depends on which system the host is joined to.
I guess you need to take a look at how IPA can define HBAC rules for
users from AD in trust case. You add an AD group as a member of the IPA
group and then apply HBAC policy to that IPA group.
However for high level security I want to have permissions only
granted/grantable in IPA. So an admin to say the HR database server
cannot login with a trust from IPA they have to be in a user group
setup in IPA only.
regards
Steven
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project