mmmmh, ok, thank you.
But indeed, I would need HBAC and sudo rules in the future.
So I believe the only exit here is to keep openLDAP and FreeIPA in sync.
Any clue on how to do this efficiently?
Thank you,
Cheers,
m.
Le 31-01-17 à 16:23, Alexander Bokovoy a écrit :
On ti, 31 tammi 2017, Michaël Van de Borne wrote:
Hello list,
Here's my situation:
I'm installing Hadoop for a customer, and the Hadoop cluster is
secured with Kerberos. I used FreeIPA as a KDC.
The customer uses openLDAP as a directory server.
For now, our solution is to copy the whole openLDAP user base to
FreeIPA, and then use FreeIPA for the identification and
authorization (all the keytab stuff).
you mean authentication, not authorization here.
But keeping openLDAP and FreeIPA in sync is a nightmare, and I was
wondering something:
Would it be possible to configure SSSD to simultaneously target the
openLDAP server to identify a user, and the FreeIPA server to get the
tickets?
Here is the thing: yes, you can do that by configuring explicitly
identity and authentication providers in sssd.conf. Set identity
provider to ldap and authentication provider to krb5, add necessary
configuration parameters and that would work. No HBAC, no SUDO rules,
etc, but that's what you want, it seems.
Look at sssd-ldap and sssd-krb5 manual pages.
When you configure identity provider to IPA or AD in sssd.conf, you are
just setting defaults for all other providers to the defaults of IPA or
AD provider. If you use a different identity provider, you'd need to
define proper authentication.
That way, we can avoid having to keep openLDAP and FreeIPA in sync...
_*OR*_
Is there an efficient way to keep openLDAP and FreeIPA in sync?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
