On 10/07/2015 12:01 PM, Martin Kosek wrote:
> On 10/06/2015 07:35 PM, Lesley Kimmel wrote:
>> Hi all;
>>
>> I'm working an initiative to centralize user accounts in Active Directory.
>> We have a large RHEL (6+) footprint and want to manage these as well. I am
>> a Red Hat Engineer on the project and, while it is possible to integrate
>> all of the RHEL clients directly to AD, I have a nagging feeling that using
>> IdM as an intermediary would be a good approach. However, I have never
>> implemented it and experienced the solidity of integration with AD so I
>> can't formulate a solid argument at this point.
>>
>> My primary belief is that using IdM would allow for the Unix administrators
>> better control over their environment.
> 
> Yes, it would allow you easy control/integration for Linux based services, 
> like
> SUDO, automount and others. It may also save some costs, as if you join the
> hosts directly to AD, you may need to pay the CLAs.

BTW, Dmitri Pal also published a set of great blogs about IdM that can help you
too:

http://rhelblog.redhat.com/2015/05/27/direct-or-indirect-that-is-the-question/

... aaand a related presentation:
https://drive.google.com/file/d/0B3tfpNCVjJdCU1d3c0gzTE9pU2c/view?usp=sharing

> 
>> However, even in that case we also
>> have Satellite so we likely wouldn't use IdM for policy centralization.
> 
> What policy do you have in mind right now, authorization?
> 
>> I'm
>> curious whether it is possible to store all user, group and system objects
>> in Active Directory and then allow the configuration of host based access
>> control policies from IdM using those AD objects.
> 
> Yes, this should work with IdM external groups used in HBAC:
> https://www.youtube.com/watch?v=sQnNFJOzwa8
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html#about-hbac
> 
>> That might be one
>> argument for it. As an add-on to that question how is the HBAC actually
>> implemented in IdM? It doesn't simply push down a policy for pam_access
>> does it?
> 
> HBAC is evaluated on the client (SSSD), i.e. that makes SSSD a requirement to
> use HBAC.
> 
>>
>> Also, if users were configured with Smart Card information in AD could
>> these users authenticate to Linux clients with IdM as an intermediary?
> 
> This *may* work with the current Smart Card implementation in SSSD 1.13. It
> should just work with IdM users and registered SC certificates out of the box,
> for AD, some additional configuration will be required, Sumit will know more.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to