On Thu, 26 May 2016, John Meyers wrote:
Alexander,
I use both trust AND synchronization. Our IPA is authoritative. We add
the "ntUser" objectclass and related attributes and 389ds automatically
creates a corresponding AD account and password changes are likewise
propagated. This is necessary since FreeIPA can not act as a Global
Catalog. It works fantastically.
Interesting use of winsync. :)
On the AD side, we use the "altSecurityIdentities" attribute to tell AD
that u...@ipa.domain.com is the same person as u...@ad.domain.com. I
guess there isn't a similar mapping on the IPA side such that when I
authenticate from u...@ad.actifio.com IPA will would recognize it as an
alias of a local domain user?
We have some code in 4.4 that will support aliases for Kerberos
principals more clearly.
I did try your suggestion. Removing KrbLocalUserMapping does indeed
clear up the aname_to_localname() issue, however, now REMOTE_USER gets
the fully qualified realm string for all users, including the native IPA
domain users, and the downstream applications that consume it break as
they just expect a username.
Well, what about using mod_rewrite to reassemble REMOTE_USER? If
REMOTE_USER is set by mod_auth_kerb, use mod_rewrite's RewriteRule
[E=NEW_REMOTE_USER:%1] and RewriteCond before that to drop the suffix.
This implies you have ability to redefine variable looked up by the
applications from REMOTE_USER to NEW_REMOTE_USER.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
