On 01/29/2015 06:19 PM, Steven Jones wrote:


Where is this at? ie is the above a supported configuration?


Supported.


So will passync and winsync work OK?


Yes


Will trusts?


Yes


Will they work together?


Only during migration.
There is a migration strategy. http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust

So ideally I'd like to use winsync and passsync to provision users from AD to IPA. Then in specific low security situations use trusts to grant access. So for low security instances eg a user on a windows or linux desktop can login with one password.


I am not sure I follow.

With trust you have a single user entry in AD and even if a Linux system is connected to IPA the user logging into it will authenticate against AD but it will be IPA that will define whether this user can access this system. It will be defined via HBAC rules.

So whether you use trust or sync the access control is orthogonal and depends on which system the host is joined to. I guess you need to take a look at how IPA can define HBAC rules for users from AD in trust case. You add an AD group as a member of the IPA group and then apply HBAC policy to that IPA group.


However for high level security I want to have permissions only granted/grantable in IPA. So an admin to say the HR database server cannot login with a trust from IPA they have to be in a user group setup in IPA only.



regards

Steven






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to