On Mon, Sep 14, 2015 at 12:38:00PM -0400, Mark Heslin wrote: > Hi Tyler, > > Some comments below...I'm sure others will chime in :-) > > On 09/14/2015 10:33 AM, Milam, Tyler S wrote: > > > >My organization is evaluating new methods of user account provisioning in > >Linux. What advantages does freeIPA offer over just SSSD? > > > > Just to be clear, SS > SD is the client that can work directly to an existing AD domain, or > indirectly to an AD domain via IdM/FreeIPA and a cross-realm Kerberos trust. > When you configure an IdM/FreeIPA client, SSSD is configured (via > ipa-client-install or realmd). In short: > > SSSD -> AD (Direct AD Integration) > SSSD -> IdM/FreeIPA (standard configuration) > SSSD -> IdM/FreeIPA <--- cross-realm Kerberos trust ---> AD (Indirect > AD integration) > > In general, Direct AD integration is recommended for small environments with > few Linux clients. > For larger numbers of clients, indirect AD integration is preferred as it > will give you more control, granularity > to manage users, hosts, services, certs, keytabs, etc. > > There are some details that come into play - particularly around which > versions of RHEL (or non-RHEL) you're clients are on. > Attached is a tech brief we put out for Summit that can help.
Also, there were some blog posts Dmitri wrote up not too long ago that compare direct and indirect integration: http://rhelblog.redhat.com/2015/05/27/direct-or-indirect-that-is-the-question/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project