Re: [Freeipa-users] Advise for the best way to achieve AD Caching?
Thanks for the information Petr - As you have recommended another AD server or Samba 4 is the best solution. Cheers David -Original Message- From: Petr Spacek [mailto:pspa...@redhat.com] Sent: Friday, May 06, 2016 17:27 To: David LeVene <david.lev...@blackboard.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching? On 6.5.2016 02:03, David LeVene wrote: > Hi Petr, > > Thanks for the response. > > I didn't know about Samba 4, so that's worth some further investigation on my > part - Thanks. > > So from what you've said below it can't run as a standalone, but SSSD does > allow caching(if a user has authenticated previous).. does IPA have the > ability to cache credentials for ~1 hour, so if there is a short loss of > network connectivity users still get the OK from the cache? SSSD's cache will help you only for local authentication on clients (using password). It will not help for LDAP BIND or Kerberos authentication. > I'm still having a look at SyncRepl from slapd for replication, but not sure > how this will work in the event that the Provider is uncontactable - as long > as it caches credentials/details for ~ 1 hour that's acceptable. AFAIK SyncRepl is not supported on AD side. Sorry, but if you are so reliant on AD technology then you probably need to either pay for new AD server or use Samba 4. Petr^2 Spacek > > Regards > David > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek > Sent: Thursday, May 05, 2016 18:17 > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching? > > On 5.5.2016 06:28, David LeVene wrote: >> Hey All, >> >> I'm looking for a bit of direction around the best way to >> configure/setup an on-site cache &/or replica from an AD Server which >> will be uni-directional (AD -> IPA/slapd) >> >> The master are multiple AD Servers located around the place, and we exist in >> a place which is outside of the core network and that network link is a >> single point of failure. >> >> What I want to achieve is in the event we lose connectivity with the world >> users can still authenticate, but if someone is disabled/updated at the top >> level it replicates down. I've got a test AD Server & have been reviewing >> IPA, but have hit an issue in that I can't get software installed on the AD >> Masters for the 389 dir sync software. >> >> Currently I've configured a synchronization based solution with one way >> replication from the AD Masters -> IPA. This works fine and I can see all >> the users being created in IPA - but as the passwords can't be synced >> without installing software I can't use this method. > > All methods which can work completely off-line will require access to keys on > AD server. This means either some additional software on AD side OR having > proper AD server which is hosted locally. This could theoretically be Samba 4 > AD server if you want to try that. > > If your clients are sufficiently new you can try to use SSSD everywhere but > it comes with own limitations, e.g. users who never logged in before will not > be able to login when the network link is down. > > I hope this help. > > Petr^2 Spacek > > >> Another nice thing would be to have a separate domain/tree available so we >> can split up the staff that are from the master servers and some client >> related user/passes that won't be in the Global Directory - but managed from >> the same place. >> >> Are there any other setup's that will achieve what I require? Have seen >> slapd with proxy cache but I'm not sure on this options either and >> configuring slapd with all the ldif files manually seems a little daunting >> at first sight. >> >> Thanks in advance, >> David > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project This email and > any attachments may contain confidential and proprietary information of > Blackboard that is for the sole use of the intended recipient. If you are not > the intended recipient, disclosure, copying, re-distribution or other use of > any of this information is strictly prohibited. Please immediately notify the > sender and delete this transmission if you received this email in error. > -- Petr^2 Spacek This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient.
Re: [Freeipa-users] Advise for the best way to achieve AD Caching?
Hi Petr, Thanks for the response. I didn't know about Samba 4, so that's worth some further investigation on my part - Thanks. So from what you've said below it can't run as a standalone, but SSSD does allow caching(if a user has authenticated previous).. does IPA have the ability to cache credentials for ~1 hour, so if there is a short loss of network connectivity users still get the OK from the cache? I'm still having a look at SyncRepl from slapd for replication, but not sure how this will work in the event that the Provider is uncontactable - as long as it caches credentials/details for ~ 1 hour that's acceptable. Regards David -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Thursday, May 05, 2016 18:17 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching? On 5.5.2016 06:28, David LeVene wrote: > Hey All, > > I'm looking for a bit of direction around the best way to > configure/setup an on-site cache &/or replica from an AD Server which > will be uni-directional (AD -> IPA/slapd) > > The master are multiple AD Servers located around the place, and we exist in > a place which is outside of the core network and that network link is a > single point of failure. > > What I want to achieve is in the event we lose connectivity with the world > users can still authenticate, but if someone is disabled/updated at the top > level it replicates down. I've got a test AD Server & have been reviewing > IPA, but have hit an issue in that I can't get software installed on the AD > Masters for the 389 dir sync software. > > Currently I've configured a synchronization based solution with one way > replication from the AD Masters -> IPA. This works fine and I can see all the > users being created in IPA - but as the passwords can't be synced without > installing software I can't use this method. All methods which can work completely off-line will require access to keys on AD server. This means either some additional software on AD side OR having proper AD server which is hosted locally. This could theoretically be Samba 4 AD server if you want to try that. If your clients are sufficiently new you can try to use SSSD everywhere but it comes with own limitations, e.g. users who never logged in before will not be able to login when the network link is down. I hope this help. Petr^2 Spacek > Another nice thing would be to have a separate domain/tree available so we > can split up the staff that are from the master servers and some client > related user/passes that won't be in the Global Directory - but managed from > the same place. > > Are there any other setup's that will achieve what I require? Have seen slapd > with proxy cache but I'm not sure on this options either and configuring > slapd with all the ldif files manually seems a little daunting at first sight. > > Thanks in advance, > David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Advise for the best way to achieve AD Caching?
Hey All, I'm looking for a bit of direction around the best way to configure/setup an on-site cache &/or replica from an AD Server which will be uni-directional (AD -> IPA/slapd) The master are multiple AD Servers located around the place, and we exist in a place which is outside of the core network and that network link is a single point of failure. What I want to achieve is in the event we lose connectivity with the world users can still authenticate, but if someone is disabled/updated at the top level it replicates down. I've got a test AD Server & have been reviewing IPA, but have hit an issue in that I can't get software installed on the AD Masters for the 389 dir sync software. Currently I've configured a synchronization based solution with one way replication from the AD Masters -> IPA. This works fine and I can see all the users being created in IPA - but as the passwords can't be synced without installing software I can't use this method. Another nice thing would be to have a separate domain/tree available so we can split up the staff that are from the master servers and some client related user/passes that won't be in the Global Directory - but managed from the same place. Are there any other setup's that will achieve what I require? Have seen slapd with proxy cache but I'm not sure on this options either and configuring slapd with all the ldif files manually seems a little daunting at first sight. Thanks in advance, David This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
