We were doing this by utilising overrides (changing user names, /home/ s, etc),
but I think we had to back out of that plan because we encountered issues. We
may go back.
Using Host Based Access Control (HBAC) and sudo is a powerful set of tools.
What did you want to do that wasn’t covered by those three?
L.
From: Redmond, Stacy [mailto:stacy.redm...@blueshieldca.com]
Sent: Wednesday, 25 May 2016 9:15 AM
To: Simpson Lachlan
Subject: RE: AD replication and password passthrough
I am replacing ODS, and would like to replicate AD (ad.foo.com) to my new IPA
installation (ipa.foo.com) but in all the documentation it says I have to
install passsync on AD to synchronize passwords, I would rather just tell ipa
to authorize the user via password from AD.
I have a one way trust setup now, just would rather have everything in IPA, but
use AD passwords due to new requirements.
From: Simpson Lachlan [mailto:lachlan.simp...@petermac.org]
Sent: Tuesday, May 24, 2016 4:09 PM
To: Redmond, Stacy
<stacy.redm...@blueshieldca.com<mailto:stacy.redm...@blueshieldca.com>>
Subject: RE: AD replication and password passthrough
** BSCA security warning: Do not click links or trust the content unless you
expected this email and trust the sender – This email originated outside of
Blue Shield. **
It depends on what you mean.
If, by replication, you mean using FreeIPA as a backup AD server, it would need
to be a two way trust.
If you have a separate subdomain, it’s definitely possible with a one way trust.
Cheers
L.
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Redmond, Stacy
Sent: Tuesday, 24 May 2016 3:15 AM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: [Freeipa-users] AD replication and password passthrough
Is there a way to setup replication from AD, and just use passthrough to AD for
passwords, vs having to synchronize passwords. I am getting a lot of pushback
from the AD team on installing the password sync software due to issues in the
past. I would like to setup replication, but still use AD to authenticate
passwords.
This email (including any attachments or links) may contain confidential and/or
legally privileged information and is intended only to be read or used by the
addressee. If you are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly prohibited. Confidentiality and
legal privilege attached to this email (including any attachments) are not
waived or lost by reason of its mistaken delivery to you. If you have received
this email in error, please delete it and notify us immediately by telephone or
email. Peter MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been intercepted or altered
and will not be liable for any delay in its receipt.
This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee. If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
prohibited.
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email. Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project