On 10/07/2015 12:01 PM, Martin Kosek wrote:
> On 10/06/2015 07:35 PM, Lesley Kimmel wrote:
>> Hi all;
>> I'm working an initiative to centralize user accounts in Active Directory.
>> We have a large RHEL (6+) footprint and want to manage these as well. I am
>> a Red Hat Engineer on the project and, while it is possible to integrate
>> all of the RHEL clients directly to AD, I have a nagging feeling that using
>> IdM as an intermediary would be a good approach. However, I have never
>> implemented it and experienced the solidity of integration with AD so I
>> can't formulate a solid argument at this point.
>> My primary belief is that using IdM would allow for the Unix administrators
>> better control over their environment.
> Yes, it would allow you easy control/integration for Linux based services, 
> like
> SUDO, automount and others. It may also save some costs, as if you join the
> hosts directly to AD, you may need to pay the CLAs.

BTW, Dmitri Pal also published a set of great blogs about IdM that can help you


... aaand a related presentation:

>> However, even in that case we also
>> have Satellite so we likely wouldn't use IdM for policy centralization.
> What policy do you have in mind right now, authorization?
>> I'm
>> curious whether it is possible to store all user, group and system objects
>> in Active Directory and then allow the configuration of host based access
>> control policies from IdM using those AD objects.
> Yes, this should work with IdM external groups used in HBAC:
> https://www.youtube.com/watch?v=sQnNFJOzwa8
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html#about-hbac
>> That might be one
>> argument for it. As an add-on to that question how is the HBAC actually
>> implemented in IdM? It doesn't simply push down a policy for pam_access
>> does it?
> HBAC is evaluated on the client (SSSD), i.e. that makes SSSD a requirement to
> use HBAC.
>> Also, if users were configured with Smart Card information in AD could
>> these users authenticate to Linux clients with IdM as an intermediary?
> This *may* work with the current Smart Card implementation in SSSD 1.13. It
> should just work with IdM users and registered SC certificates out of the box,
> for AD, some additional configuration will be required, Sumit will know more.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to