Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On mån, 2012-06-18 at 10:49 -0400, Brian Wheeler wrote: Is there any way to integrate FreeIPA into an environment such as ours or am I going to have to continue with my homegrown way of doing things? I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
I will look into that. I've got nearly a year before I have to do my machine migrations, so one would assume that this feature would stabilize by the time I get around to doing an actual implementation. I'll play with it and see if I can make it work. Although, the instructions do mention validating it from the windows side of things which may stop me dead in the water since I have no access. Brian On 06/19/2012 03:17 AM, David Juran wrote: On mån, 2012-06-18 at 10:49 -0400, Brian Wheeler wrote: Is there any way to integrate FreeIPA into an environment such as ours or am I going to have to continue with my homegrown way of doing things? I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On tis, 2012-06-19 at 13:26 +0100, James Hogarth wrote: I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. The initial documentation looks like it's describing a full two way trust - in principal would a one way trust be feasible? Allow the AD users (or a selection thereof) access to the systems part of the IPA domain but not vice versa? AFAIK, that is the only thing currently implemented. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On Tue, 2012-06-19 at 13:26 +0100, James Hogarth wrote: I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. The initial documentation looks like it's describing a full two way trust - in principal would a one way trust be feasible? Allow the AD users (or a selection thereof) access to the systems part of the IPA domain but not vice versa? Well, at the moment we only set up a two way trust but the windows admins would certainly be able to delete the outgoing trust right after it is created, it should cause trouble for win users that want to access ipa hosts. We may take an RFE about creating only a one way trust, but it won't be there by 3.0 I think. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On Tue, 2012-06-19 at 09:14 -0400, Brian Wheeler wrote: I will look into that. I've got nearly a year before I have to do my machine migrations, so one would assume that this feature would stabilize by the time I get around to doing an actual implementation. I'll play with it and see if I can make it work. Although, the instructions do mention validating it from the windows side of things which may stop me dead in the water since I have no access. you need the windows domain credentials to set up the trust, so you definitely need collaboration from the windows domain admins. w/o that collaboration there isn't much you can really do in any case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
Well, at the moment we only set up a two way trust but the windows admins would certainly be able to delete the outgoing trust right after it is created, it should cause trouble for win users that want to access ipa hosts. We may take an RFE about creating only a one way trust, but it won't be there by 3.0 I think. Gotcha - I know here I'll probably end up with a requirement for windows users to access one or more of my linux systems (and web interfaces) with their windows AD credentials but there is no way the Windows team (or IT Security) would want my users in IPA to be able to log into the windows clients etc in the enterprise. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
OOps, forgot to reply to list last time. On 06/19/2012 10:42 AM, Simo Sorce wrote: On Tue, 2012-06-19 at 09:14 -0400, Brian Wheeler wrote: I will look into that. I've got nearly a year before I have to do my machine migrations, so one would assume that this feature would stabilize by the time I get around to doing an actual implementation. I'll play with it and see if I can make it work. Although, the instructions do mention validating it from the windows side of things which may stop me dead in the water since I have no access. you need the windows domain credentials to set up the trust, so you definitely need collaboration from the windows domain admins. w/o that collaboration there isn't much you can really do in any case. I've got rights to join machines to the domain, would that be sufficient? Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On 06/18/2012 08:49 AM, Brian Wheeler wrote: Hello I'm a sysadmin at a smallish department at my university. We're investigating FreeIPA to replace our homegrown openldap/perl script user management stuff. The difficulty we're facing is that university has standardized on Active Directory and they've got it pretty well locked down. We currently use the university's kerberos for authentication and our openldap instance to store user/group data. When we create a new user a perl script copies the relevant data from AD via an authenticated ldap bind since they do not support anonymous binds. For groups we just maintain the ones within our ldap environment (AD groups are never copied). For hosts we have a private network that we use nss_ldap to look up hosts and then fall back to the university's DNS. All of the documentation that I've been able to find on FreeIPA seem to assume that the people setting up FreeIPA have full access to AD and can modify the structure/security settings. Not exactly. What documentation are you talking about? For IPA Windows Sync, IPA needs to be able to use the DirSync control provided by AD. http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx IPA needs the Bind DN and password of an AD user with the rights specified in that document. For IPA to get passwords sync'd from AD, you need to install the PassSync.msi on all of your domain controllers. This is not the case for us since a different group handles it and due to the vastness of the university they are reluctant to make any changes. Is there any way to integrate FreeIPA into an environment such as ours or am I going to have to continue with my homegrown way of doing things? Thanks! Brian Wheeler System Administrator Digital Library Program Indiana University ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users