I've got a potential use case where I want to authenticate users using their AD credentials, store accounts and permissions in FreeIPA but not have a cross forest trust. One way to do this is to have SSSD talk LDAP to a virtual directory which would route the bind to AD but all other operations to the 389 backing IPA. Kerberos wouldn't work, but if you're interested in password or ssh key based auth it should work, right? Then you'd still get the HBAC benefits?
Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project