On 02/17/2015 04:34 PM, Steven Jones wrote:

"I have been informed that all computer users on our campus must now authenticate off of the University's Active Directory server, including all Linux machines."

dictated by a clueless Windows ***** no doubt, ***sigh*** Here we are keeping both separate as AD is so bad security wise, but want some low risk trusts for certain groups of machines (common desktops).

If the expectation is its directly off the AD then you dont need IPA at all. However without an expensive commercial addon per Linux server/desktop you wont be able to do much management and control. this has security implications, if you had say a finance or HR server without these commercial tools you may find any AD user could get on them, not what you would want.

So you have 2 options in keeping IPA,

a) trusts and you should be able keep your users.

b) winsync and passync and all the AD users are synced over to IPA. Existing users stay as is, the ones in AD but not in IPA get pulled over to IPA.


c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want.

I am not sure this is the best solution really.
Trust and sync do not help each other. The fact that you have trust does not help you to provision users the way you describe.

I'd like to do c) which I am looking at at present, if I ever get IPA on RHEL6.6 upgraded to RHEL7.1!


Steven J

*From:* freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on behalf of David Fitzgerald <david.fitzger...@millersville.edu>
*Sent:* Wednesday, 18 February 2015 10:05 a.m.
*To:* freeipa-users@redhat.com
*Subject:* [Freeipa-users] question about Active Directory authentication


I am currently running an IPA 3.3 server on Centos 7. I have 70 IPA client machines running Scientific Linux 6.6 and 150 users. User directories are auto-mounted from a Centos 7 file server.

I have been informed that all computer users on our campus must now authenticate off of the University's Active Directory server, including all Linux machines. I have been looking through the IPA documentation and am getting myself confused and not completely understanding what needs to be done, thus I have some questions.

1.The docs talk about setting up a trust between the IPA server and the AD server. Will I need to change all of the IPA clients as well as the IPA server, or do I only need change the server and not have to touch the clients?

2.Do I even need to set up a full trust relationship just to authenticate my users with AD?

3.Since I already have 150 users, will I have to delete their IPA accounts before setting up the trust? W

Sorry if my questions are a bit basic, but I need some guidance to get me started.




David Fitzgerald

Department of Earth Sciences

Millersville University

Millersville, PA 17551

Phone:  717-871-2394

E-Mail:  david.fitzger...@millersville.edu

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to