We were doing this by utilising overrides (changing user names, /home/ s, etc), 
but I think we had to back out of that plan because we encountered issues. We 
may go back.

Using Host Based Access Control (HBAC) and sudo is a powerful set of tools. 
What did you want to do that wasn’t covered by those three?


L.


From: Redmond, Stacy [mailto:stacy.redm...@blueshieldca.com]
Sent: Wednesday, 25 May 2016 9:15 AM
To: Simpson Lachlan
Subject: RE: AD replication and password passthrough

I am replacing ODS, and would like to replicate AD (ad.foo.com) to my new IPA 
installation (ipa.foo.com) but in all the documentation it says I have to 
install passsync on AD to synchronize passwords, I would rather just tell ipa 
to authorize the user via password from AD.

I have a one way trust setup now, just would rather have everything in IPA, but 
use AD passwords due to new requirements.

From: Simpson Lachlan [mailto:lachlan.simp...@petermac.org]
Sent: Tuesday, May 24, 2016 4:09 PM
To: Redmond, Stacy 
<stacy.redm...@blueshieldca.com<mailto:stacy.redm...@blueshieldca.com>>
Subject: RE: AD replication and password passthrough

** BSCA security warning: Do not click links or trust the content unless you 
expected this email and trust the sender – This email originated outside of 
Blue Shield. **
It depends on what you mean.

If, by replication, you mean using FreeIPA as a backup AD server, it would need 
to be a two way trust.

If you have a separate subdomain, it’s definitely possible with a one way trust.

Cheers
L.

From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Redmond, Stacy
Sent: Tuesday, 24 May 2016 3:15 AM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: [Freeipa-users] AD replication and password passthrough

Is there a way to setup replication from AD, and just use passthrough to AD for 
passwords, vs having to synchronize passwords.  I am getting a lot of pushback 
from the AD team on installing the password sync software due to issues in the 
past.  I would like to setup replication, but still use AD to authenticate 
passwords.
This email (including any attachments or links) may contain confidential and/or 
legally privileged information and is intended only to be read or used by the 
addressee. If you are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly prohibited. Confidentiality and 
legal privilege attached to this email (including any attachments) are not 
waived or lost by reason of its mistaken delivery to you. If you have received 
this email in error, please delete it and notify us immediately by telephone or 
email. Peter MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been intercepted or altered 
and will not be liable for any delay in its receipt.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to