On 10/06/2015 07:35 PM, Lesley Kimmel wrote:
> Hi all;
> 
> I'm working an initiative to centralize user accounts in Active Directory.
> We have a large RHEL (6+) footprint and want to manage these as well. I am
> a Red Hat Engineer on the project and, while it is possible to integrate
> all of the RHEL clients directly to AD, I have a nagging feeling that using
> IdM as an intermediary would be a good approach. However, I have never
> implemented it and experienced the solidity of integration with AD so I
> can't formulate a solid argument at this point.
> 
> My primary belief is that using IdM would allow for the Unix administrators
> better control over their environment.

Yes, it would allow you easy control/integration for Linux based services, like
SUDO, automount and others. It may also save some costs, as if you join the
hosts directly to AD, you may need to pay the CLAs.

> However, even in that case we also
> have Satellite so we likely wouldn't use IdM for policy centralization.

What policy do you have in mind right now, authorization?

> I'm
> curious whether it is possible to store all user, group and system objects
> in Active Directory and then allow the configuration of host based access
> control policies from IdM using those AD objects.

Yes, this should work with IdM external groups used in HBAC:
https://www.youtube.com/watch?v=sQnNFJOzwa8

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html#about-hbac

> That might be one
> argument for it. As an add-on to that question how is the HBAC actually
> implemented in IdM? It doesn't simply push down a policy for pam_access
> does it?

HBAC is evaluated on the client (SSSD), i.e. that makes SSSD a requirement to
use HBAC.

> 
> Also, if users were configured with Smart Card information in AD could
> these users authenticate to Linux clients with IdM as an intermediary?

This *may* work with the current Smart Card implementation in SSSD 1.13. It
should just work with IdM users and registered SC certificates out of the box,
for AD, some additional configuration will be required, Sumit will know more.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to