On Mon, Sep 14, 2015 at 12:38:00PM -0400, Mark Heslin wrote:
> Hi Tyler,
> Some comments below...I'm sure others will chime in :-)
> On 09/14/2015 10:33 AM, Milam, Tyler S wrote:
> >My organization is evaluating new methods of user account provisioning in
> >Linux. What advantages does freeIPA offer over just SSSD?
> Just to be clear, SS
> SD is the client that can work directly to an existing AD domain, or
> indirectly to an AD domain via IdM/FreeIPA and a cross-realm Kerberos trust.
> When you configure an IdM/FreeIPA client, SSSD is configured (via
> ipa-client-install or realmd). In short:
> SSSD -> AD (Direct AD Integration)
> SSSD -> IdM/FreeIPA (standard configuration)
> SSSD -> IdM/FreeIPA <--- cross-realm Kerberos trust ---> AD (Indirect
> AD integration)
> In general, Direct AD integration is recommended for small environments with
> few Linux clients.
> For larger numbers of clients, indirect AD integration is preferred as it
> will give you more control, granularity
> to manage users, hosts, services, certs, keytabs, etc.
> There are some details that come into play - particularly around which
> versions of RHEL (or non-RHEL) you're clients are on.
> Attached is a tech brief we put out for Summit that can help.
Also, there were some blog posts Dmitri wrote up not too long ago that
compare direct and indirect integration:
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project