Hi everyone, Requesting answers to some queries regarding FreeIPA deployment.
Here is a short description of the deployment scenario. User/group identities are present in multiple identity/authentication sources - such as Windows AD, LDAP/Kerberos. The identity source servers - such as Windows AD Domain Controller - could be in multiple data centers across WAN/internet. Goal is to make a set of Linux (client) hosts access and authenticate such identities. The Linux client hosts could be in a separate data center from one or more such identity sources. Will a SSSD/FreeIPA based deployment work here? - Set up a FreeIPA server (and possibly replicas) in the Linux hosts data center, and set up the Linux hosts to use SSSD and be enrolled in the FreeIPA realm - Set up cross-forest trusts between FreeIPA and (one or more) Windows AD forests. - If FreeIPA server and Windows AD domain controllers have their system clock synchronized (NTP or otherwise), then would it work even though for some reason, the local time zone on the servers have been configured differently? For instance, local time zone on FreeIPA server is America/New_York and that on Windows AD DC is in Europe/London, but their system clock are set to UTC. I understand its better to have servers always set their clock set to UTC, but still just to be sure, hence asking. Plus, this FreeIPA webpage says time zone settings on FreeIPA and WindowsAD must be same : https://www.freeipa.org/page/Active_Directory_trust_setup# Date.2Ftime_settings > Date/time settings > > Make sure both timezone settings and date/time settings on both servers match. And yes, system clock on Linux client hosts running SSSD will also be same as on FreeIPA server. - SSSD on FreeIPA-enrolled Linux hosts can identify/authenticate identities from Windows AD through FreeIPA trust. But what about identities in other stores - like simple LDAP, or another Kerberos realm? Can FreeIPA act as a "single channel" to all Linux SSSD client hosts for such identities, or does SSSD on the individual Linux hosts have to directly interact with the non-Windows AD identity sources? I read some information that FreeIPA server itself can have "trust" with Windows AD realms only as of now, hence asking... - Regarding connectivity between FreeIPA server (and/or SSSD Linux client hosts) and the identity source servers (Windows AD DC, etc.), it will be through something like VPN over WAN/internet. Will that be advisable? Thanks & Regards, Sambit
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project