Re: [Freeipa-users] FreeIPA ActiveDirectory Integration: Managing AD Users in IPA
(belated response) On Sun, Sep 14, 2014 at 12:10 AM, Dmitri Pal wrote: > On 09/13/2014 04:03 PM, Traiano Welcome wrote: > > Hi List > > Currently I have a stable trust relationship going between IPA and Windows > AD. I create users and manage passwords in AD, but want to manage the rest > in IPA, "the rest" being default shell, default home directory settings, > RBAC, HBAC, Selinux etc .. > > What I'm expecting it to be able to log into the FreeIPA web interface, > and see a synched list of users created in AD appear in the interface, > after which I can modify the settings on a per user basis. > > If that level of granularity is not possible, I would then expect to be > able to at least apply an IPA-imposed set of account defaults on and AD > user group: > > - default shell > - HBAC rules > - Sudo rules > - SELinux rules > - RBAC > > Is this possible with FreeIPA? I can't find anything coherent in the > documentation that describes an effective way of managing the POSIX > attributes of AD users in FreeIPA. > > Thanks in advance! > Traiano > > > > > > You are to some extent describing a feature that we call "views" that is > currently in works. > But there are two parts: > a) Ability to overwrite POSIX attributes for AD users - this is views > https://fedorahosted.org/freeipa/ticket/3318 > https://fedorahosted.org/freeipa/ticket/4509 > This is exactly the feature I had in mind! > b) Ability to apply policies to AD users. It is already possible. > This is done via group membership. > So you create a group in IPA, make AD group an external member of that > group and then use that IPA group to apply HBAC, SUDO and SELinux rules. > > For the interim, this seems to meet the need. Seems to work reliably in tests as long as one keeps a spreadsheet of AD group mappings to IdM user rights. Requires some coordination with the local AD administrator :-) > As for RBAC what do you mean? > By RBAC, I mean to define linux server user "roles" with a certain profile of sudo rights, selinux policies and host access rules which one could apply to individual users without grouping them. Although, conceptually it appears that there's little difference in using user groups to represent the same type of "container" as a role would. However, I suppose the user groups mechanism essentially achieves the same objective. > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration: Managing AD Users in IPA
On 09/14/2014 03:42 AM, Gregor Bregenzer wrote: 2014-09-14 1:14 GMT+02:00 Dmitri Pal : On 09/13/2014 05:27 PM, Gregor Bregenzer wrote: Hi! There are two ways that you can use to integrate FreeIPA with AD: a.) trust b.) synchronization Here are the pros/cons for both of them: http://www.freeipa.org/docs/master/html-desktop/index.html#trust-sync If you want to manage POSIX attributes for each user can do that with either identity management for Unix at AD using the trust, or with the synchronzation at FreeIPA. With synchronization you see the users to in FreeIPA, but still have to two users to manage - in FreeIPA and AD. With the AD trust the sssd daemon running on FreeIPA is proxying all request from the client sssd directly to AD This is not exactly true. SSSD understands that IPA and AD are in trust relations. If you use user name and password to login SSSD will turn to AD directly without sending password over the wire. If you SSO into the linux box the kerberos library (on you windows client) will do all the ticket acquisition and redirects. The proxy is already done for older clients that does not understand that IPA is in trust relations with AD. http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf Sorry, there are two things i did not mention a.) no SSO, b.) Linux Client SSSD requesting UID/GID. a.) if you ssh login from a Windows client that is _not_ joined in AD or a standalone Linux box - so no SSO. Because there the destination Linux clients with sssd (1.9.2 with AD trust compatibilty with ipa provider, or 1.11+ with full AD trust capability) still need SSSD on the FreeIPA Server that will forward the authentication requests to AD. In slide 30 of http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf it states: "SSSD is used behind the scenes on the FreeIPA server to lookup up users in trusted AD domains SSSD on FreeIPA clients will forward resolution requests to FreeIPA servers through FreeIPA LDAP server plugin" b.) If you have a client that is authenticating using Kerberos and therefore SSO, the destination Linux sssd client still needs the sssd client on the FreeIPA server to lookup the UID/GID. So there's the authentication process either with SSO or without SSO, and there's the lookup process for the attributes - am i correct? If the client is new i.e. 1.9+ it will know ho to use trusts and will support UID/GID coming from AD. These clients should be joined to IPA. Other older clients need to be handled following the guidelines re legacy clients. See below. , so you see no users in FreeIPA, but you have to extend the AD schema using Identity Management for unix. You really have two options: let SSSD to map users dynamically, in this case you do not need AD schema extensions or you can extend schema as suggested. The third option that is under development is described in my other reply. What happens if you have already defined the UID/GID with the schema extension on AD and have legacy Linux clients using them, but you still want to use the exact UID/GID _and_ make use of all the great features offered in FreeIPA such as HBAC, sudorules, etc.? Then only the AD Trust with SSSD 1.11+ with full AD trust feature set is working - correct (because 1.9.2 with ipa provider cannot get the GID from AD)? SSSD 1.9 should work ok with IPA in trust relations. Earlier versions or other clients should be pointed to the IPA compat tree. http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf Then you get exactly what you are looking for. Also the password policy from the group policy in AD is used when you use the AD trust, but on clients with sssd you can change the password using kpasswd from Kerberos. If you want to use a trust with AD and want to receive the correct GID set in AD then you have to use sssd >1.9.x, otherwise you get a different GID (see https://www.redhat.com/archives/freeipa-users/2014-September/msg00192.html) All other stuff such as HBAC etc. can be centrally managed on FreeIPA, no matter if you use a trust or synchronzation. Gregor 2014-09-13 22:03 GMT+02:00 Traiano Welcome : Hi List Currently I have a stable trust relationship going between IPA and Windows AD. I create users and manage passwords in AD, but want to manage the rest in IPA, "the rest" being default shell, default home directory settings, RBAC, HBAC, Selinux etc .. What I'm expecting it to be able to log into the FreeIPA web interface, and see a synched list of users created in AD appear in the interface, after which I can modify the settings on a per user basis. If that level of granularity is not possible, I would then expect to be able to at least apply an IPA-imposed set of account defaults on and AD user group: - default shell - HBAC rules - Sudo rules - SELinux rules - RBAC Is this possible with FreeIPA? I can't find anything coherent in the documentation that describes an effective way of managing the POSIX attributes of AD users in FreeIPA. Thanks in advance! T
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration: Managing AD Users in IPA
Overwriting certain attributes may be more directly addressed by: https://fedorahosted.org/freeipa/ticket/3979 You are to some extent describing a feature that we call "views" that is currently in works. But there are two parts: a) Ability to overwrite POSIX attributes for AD users - this is views https://fedorahosted.org/freeipa/ticket/3318 https://fedorahosted.org/freeipa/ticket/4509 b) Ability to apply policies to AD users. It is already possible. This is done via group membership. So you create a group in IPA, make AD group an external member of that group and then use that IPA group to apply HBAC, SUDO and SELinux rules. As for RBAC what do you mean? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration: Managing AD Users in IPA
2014-09-14 1:14 GMT+02:00 Dmitri Pal : > On 09/13/2014 05:27 PM, Gregor Bregenzer wrote: >> >> Hi! >> >> There are two ways that you can use to integrate FreeIPA with AD: a.) >> trust b.) synchronization Here are the pros/cons for both of them: >> http://www.freeipa.org/docs/master/html-desktop/index.html#trust-sync >> >> If you want to manage POSIX attributes for each user can do that with >> either identity management for Unix at AD using the trust, or with the >> synchronzation at FreeIPA. With synchronization you see the users to >> in FreeIPA, but still have to two users to manage - in FreeIPA and AD. >> With the AD trust the sssd daemon running on FreeIPA is proxying all >> request from the client sssd directly to AD > > This is not exactly true. SSSD understands that IPA and AD are in trust > relations. If you use user name and password to login SSSD will turn to AD > directly without sending password over the wire. If you SSO into the linux > box the kerberos library (on you windows client) will do all the ticket > acquisition and redirects. > > The proxy is already done for older clients that does not understand that > IPA is in trust relations with AD. > http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf > Sorry, there are two things i did not mention a.) no SSO, b.) Linux Client SSSD requesting UID/GID. a.) if you ssh login from a Windows client that is _not_ joined in AD or a standalone Linux box - so no SSO. Because there the destination Linux clients with sssd (1.9.2 with AD trust compatibilty with ipa provider, or 1.11+ with full AD trust capability) still need SSSD on the FreeIPA Server that will forward the authentication requests to AD. In slide 30 of http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf it states: "SSSD is used behind the scenes on the FreeIPA server to lookup up users in trusted AD domains SSSD on FreeIPA clients will forward resolution requests to FreeIPA servers through FreeIPA LDAP server plugin" b.) If you have a client that is authenticating using Kerberos and therefore SSO, the destination Linux sssd client still needs the sssd client on the FreeIPA server to lookup the UID/GID. So there's the authentication process either with SSO or without SSO, and there's the lookup process for the attributes - am i correct? >> , so you see no users in >> FreeIPA, but you have to extend the AD schema using Identity >> Management for unix. > > > You really have two options: let SSSD to map users dynamically, in this case > you do not need AD schema extensions or you can extend schema as suggested. > The third option that is under development is described in my other reply. What happens if you have already defined the UID/GID with the schema extension on AD and have legacy Linux clients using them, but you still want to use the exact UID/GID _and_ make use of all the great features offered in FreeIPA such as HBAC, sudorules, etc.? Then only the AD Trust with SSSD 1.11+ with full AD trust feature set is working - correct (because 1.9.2 with ipa provider cannot get the GID from AD)? >> Also the password policy from the group policy in >> AD is used when you use the AD trust, but on clients with sssd you can >> change the password using kpasswd from Kerberos. If you want to use a >> trust with AD and want to receive the correct GID set in AD then you >> have to use sssd >1.9.x, otherwise you get a different GID (see >> >> https://www.redhat.com/archives/freeipa-users/2014-September/msg00192.html) >> >> All other stuff such as HBAC etc. can be centrally managed on FreeIPA, >> no matter if you use a trust or synchronzation. >> >> Gregor >> >> 2014-09-13 22:03 GMT+02:00 Traiano Welcome : >>> >>> Hi List >>> >>> Currently I have a stable trust relationship going between IPA and >>> Windows >>> AD. I create users and manage passwords in AD, but want to manage the >>> rest >>> in IPA, "the rest" being default shell, default home directory settings, >>> RBAC, HBAC, Selinux etc .. >>> >>> What I'm expecting it to be able to log into the FreeIPA web interface, >>> and >>> see a synched list of users created in AD appear in the interface, after >>> which I can modify the settings on a per user basis. >>> >>> If that level of granularity is not possible, I would then expect to be >>> able >>> to at least apply an IPA-imposed set of account defaults on and AD user >>> group: >>> >>> - default shell >>> - HBAC rules >>> - Sudo rules >>> - SELinux rules >>> - RBAC >>> >>> Is this possible with FreeIPA? I can't find anything coherent in the >>> documentation that describes an effective way of managing the POSIX >>> attributes of AD users in FreeIPA. >>> >>> Thanks in advance! >>> Traiano >>> >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. >
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration: Managing AD Users in IPA
On 09/13/2014 05:27 PM, Gregor Bregenzer wrote: Hi! There are two ways that you can use to integrate FreeIPA with AD: a.) trust b.) synchronization Here are the pros/cons for both of them: http://www.freeipa.org/docs/master/html-desktop/index.html#trust-sync If you want to manage POSIX attributes for each user can do that with either identity management for Unix at AD using the trust, or with the synchronzation at FreeIPA. With synchronization you see the users to in FreeIPA, but still have to two users to manage - in FreeIPA and AD. With the AD trust the sssd daemon running on FreeIPA is proxying all request from the client sssd directly to AD This is not exactly true. SSSD understands that IPA and AD are in trust relations. If you use user name and password to login SSSD will turn to AD directly without sending password over the wire. If you SSO into the linux box the kerberos library (on you windows client) will do all the ticket acquisition and redirects. The proxy is already done for older clients that does not understand that IPA is in trust relations with AD. http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf , so you see no users in FreeIPA, but you have to extend the AD schema using Identity Management for unix. You really have two options: let SSSD to map users dynamically, in this case you do not need AD schema extensions or you can extend schema as suggested. The third option that is under development is described in my other reply. Also the password policy from the group policy in AD is used when you use the AD trust, but on clients with sssd you can change the password using kpasswd from Kerberos. If you want to use a trust with AD and want to receive the correct GID set in AD then you have to use sssd >1.9.x, otherwise you get a different GID (see https://www.redhat.com/archives/freeipa-users/2014-September/msg00192.html) All other stuff such as HBAC etc. can be centrally managed on FreeIPA, no matter if you use a trust or synchronzation. Gregor 2014-09-13 22:03 GMT+02:00 Traiano Welcome : Hi List Currently I have a stable trust relationship going between IPA and Windows AD. I create users and manage passwords in AD, but want to manage the rest in IPA, "the rest" being default shell, default home directory settings, RBAC, HBAC, Selinux etc .. What I'm expecting it to be able to log into the FreeIPA web interface, and see a synched list of users created in AD appear in the interface, after which I can modify the settings on a per user basis. If that level of granularity is not possible, I would then expect to be able to at least apply an IPA-imposed set of account defaults on and AD user group: - default shell - HBAC rules - Sudo rules - SELinux rules - RBAC Is this possible with FreeIPA? I can't find anything coherent in the documentation that describes an effective way of managing the POSIX attributes of AD users in FreeIPA. Thanks in advance! Traiano -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration: Managing AD Users in IPA
Hi! There are two ways that you can use to integrate FreeIPA with AD: a.) trust b.) synchronization Here are the pros/cons for both of them: http://www.freeipa.org/docs/master/html-desktop/index.html#trust-sync If you want to manage POSIX attributes for each user can do that with either identity management for Unix at AD using the trust, or with the synchronzation at FreeIPA. With synchronization you see the users to in FreeIPA, but still have to two users to manage - in FreeIPA and AD. With the AD trust the sssd daemon running on FreeIPA is proxying all request from the client sssd directly to AD, so you see no users in FreeIPA, but you have to extend the AD schema using Identity Management for unix. Also the password policy from the group policy in AD is used when you use the AD trust, but on clients with sssd you can change the password using kpasswd from Kerberos. If you want to use a trust with AD and want to receive the correct GID set in AD then you have to use sssd >1.9.x, otherwise you get a different GID (see https://www.redhat.com/archives/freeipa-users/2014-September/msg00192.html) All other stuff such as HBAC etc. can be centrally managed on FreeIPA, no matter if you use a trust or synchronzation. Gregor 2014-09-13 22:03 GMT+02:00 Traiano Welcome : > Hi List > > Currently I have a stable trust relationship going between IPA and Windows > AD. I create users and manage passwords in AD, but want to manage the rest > in IPA, "the rest" being default shell, default home directory settings, > RBAC, HBAC, Selinux etc .. > > What I'm expecting it to be able to log into the FreeIPA web interface, and > see a synched list of users created in AD appear in the interface, after > which I can modify the settings on a per user basis. > > If that level of granularity is not possible, I would then expect to be able > to at least apply an IPA-imposed set of account defaults on and AD user > group: > > - default shell > - HBAC rules > - Sudo rules > - SELinux rules > - RBAC > > Is this possible with FreeIPA? I can't find anything coherent in the > documentation that describes an effective way of managing the POSIX > attributes of AD users in FreeIPA. > > Thanks in advance! > Traiano > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration: Managing AD Users in IPA
On 09/13/2014 04:03 PM, Traiano Welcome wrote: Hi List Currently I have a stable trust relationship going between IPA and Windows AD. I create users and manage passwords in AD, but want to manage the rest in IPA, "the rest" being default shell, default home directory settings, RBAC, HBAC, Selinux etc .. What I'm expecting it to be able to log into the FreeIPA web interface, and see a synched list of users created in AD appear in the interface, after which I can modify the settings on a per user basis. If that level of granularity is not possible, I would then expect to be able to at least apply an IPA-imposed set of account defaults on and AD user group: - default shell - HBAC rules - Sudo rules - SELinux rules - RBAC Is this possible with FreeIPA? I can't find anything coherent in the documentation that describes an effective way of managing the POSIX attributes of AD users in FreeIPA. Thanks in advance! Traiano You are to some extent describing a feature that we call "views" that is currently in works. But there are two parts: a) Ability to overwrite POSIX attributes for AD users - this is views https://fedorahosted.org/freeipa/ticket/3318 https://fedorahosted.org/freeipa/ticket/4509 b) Ability to apply policies to AD users. It is already possible. This is done via group membership. So you create a group in IPA, make AD group an external member of that group and then use that IPA group to apply HBAC, SUDO and SELinux rules. As for RBAC what do you mean? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project