On Thu, 26 May 2016, John Meyers wrote:

I use both trust AND synchronization.  Our IPA is authoritative.  We add
the "ntUser" objectclass and related attributes and 389ds automatically
creates a corresponding AD account and password changes are likewise
propagated.  This is necessary since FreeIPA can not act as a Global
Catalog.  It works fantastically.
Interesting use of winsync. :)

On the AD side, we use the "altSecurityIdentities" attribute to tell AD
that u...@ipa.domain.com is the same person as u...@ad.domain.com.  I
guess there isn't a similar mapping on the IPA side such that when I
authenticate from u...@ad.actifio.com IPA will would recognize it as an
alias of a local domain user?
We have some code in 4.4 that will support aliases for Kerberos
principals more clearly.

I did try your suggestion.  Removing KrbLocalUserMapping does indeed
clear up the aname_to_localname() issue, however, now REMOTE_USER gets
the fully qualified realm string for all users, including the native IPA
domain users, and the downstream applications that consume it break as
they just expect a username.
Well, what about using mod_rewrite to reassemble REMOTE_USER? If
REMOTE_USER is set by mod_auth_kerb, use mod_rewrite's RewriteRule
[E=NEW_REMOTE_USER:%1] and RewriteCond before that to drop the suffix.

This implies you have ability to redefine variable looked up by the
applications from REMOTE_USER to NEW_REMOTE_USER.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to