We were doing this by utilising overrides (changing user names, /home/ s, etc), but I think we had to back out of that plan because we encountered issues. We may go back.
Using Host Based Access Control (HBAC) and sudo is a powerful set of tools. What did you want to do that wasn’t covered by those three? L. From: Redmond, Stacy [mailto:[email protected]] Sent: Wednesday, 25 May 2016 9:15 AM To: Simpson Lachlan Subject: RE: AD replication and password passthrough I am replacing ODS, and would like to replicate AD (ad.foo.com) to my new IPA installation (ipa.foo.com) but in all the documentation it says I have to install passsync on AD to synchronize passwords, I would rather just tell ipa to authorize the user via password from AD. I have a one way trust setup now, just would rather have everything in IPA, but use AD passwords due to new requirements. From: Simpson Lachlan [mailto:[email protected]] Sent: Tuesday, May 24, 2016 4:09 PM To: Redmond, Stacy <[email protected]<mailto:[email protected]>> Subject: RE: AD replication and password passthrough ** BSCA security warning: Do not click links or trust the content unless you expected this email and trust the sender – This email originated outside of Blue Shield. ** It depends on what you mean. If, by replication, you mean using FreeIPA as a backup AD server, it would need to be a two way trust. If you have a separate subdomain, it’s definitely possible with a one way trust. Cheers L. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Redmond, Stacy Sent: Tuesday, 24 May 2016 3:15 AM To: [email protected]<mailto:[email protected]> Subject: [Freeipa-users] AD replication and password passthrough Is there a way to setup replication from AD, and just use passthrough to AD for passwords, vs having to synchronize passwords. I am getting a lot of pushback from the AD team on installing the password sync software due to issues in the past. I would like to setup replication, but still use AD to authenticate passwords. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
