On 10/07/2015 12:01 PM, Martin Kosek wrote: > On 10/06/2015 07:35 PM, Lesley Kimmel wrote: >> Hi all; >> >> I'm working an initiative to centralize user accounts in Active Directory. >> We have a large RHEL (6+) footprint and want to manage these as well. I am >> a Red Hat Engineer on the project and, while it is possible to integrate >> all of the RHEL clients directly to AD, I have a nagging feeling that using >> IdM as an intermediary would be a good approach. However, I have never >> implemented it and experienced the solidity of integration with AD so I >> can't formulate a solid argument at this point. >> >> My primary belief is that using IdM would allow for the Unix administrators >> better control over their environment. > > Yes, it would allow you easy control/integration for Linux based services, > like > SUDO, automount and others. It may also save some costs, as if you join the > hosts directly to AD, you may need to pay the CLAs.
BTW, Dmitri Pal also published a set of great blogs about IdM that can help you too: http://rhelblog.redhat.com/2015/05/27/direct-or-indirect-that-is-the-question/ ... aaand a related presentation: https://drive.google.com/file/d/0B3tfpNCVjJdCU1d3c0gzTE9pU2c/view?usp=sharing > >> However, even in that case we also >> have Satellite so we likely wouldn't use IdM for policy centralization. > > What policy do you have in mind right now, authorization? > >> I'm >> curious whether it is possible to store all user, group and system objects >> in Active Directory and then allow the configuration of host based access >> control policies from IdM using those AD objects. > > Yes, this should work with IdM external groups used in HBAC: > https://www.youtube.com/watch?v=sQnNFJOzwa8 > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html#about-hbac > >> That might be one >> argument for it. As an add-on to that question how is the HBAC actually >> implemented in IdM? It doesn't simply push down a policy for pam_access >> does it? > > HBAC is evaluated on the client (SSSD), i.e. that makes SSSD a requirement to > use HBAC. > >> >> Also, if users were configured with Smart Card information in AD could >> these users authenticate to Linux clients with IdM as an intermediary? > > This *may* work with the current Smart Card implementation in SSSD 1.13. It > should just work with IdM users and registered SC certificates out of the box, > for AD, some additional configuration will be required, Sumit will know more. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project