I'm working an initiative to centralize user accounts in Active Directory.
We have a large RHEL (6+) footprint and want to manage these as well. I am
a Red Hat Engineer on the project and, while it is possible to integrate
all of the RHEL clients directly to AD, I have a nagging feeling that using
IdM as an intermediary would be a good approach. However, I have never
implemented it and experienced the solidity of integration with AD so I
can't formulate a solid argument at this point.
My primary belief is that using IdM would allow for the Unix administrators
better control over their environment. However, even in that case we also
have Satellite so we likely wouldn't use IdM for policy centralization. I'm
curious whether it is possible to store all user, group and system objects
in Active Directory and then allow the configuration of host based access
control policies from IdM using those AD objects. That might be one
argument for it. As an add-on to that question how is the HBAC actually
implemented in IdM? It doesn't simply push down a policy for pam_access
Also, if users were configured with Smart Card information in AD could
these users authenticate to Linux clients with IdM as an intermediary?
Thanks ahead of time!
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project