Re: [Freeipa-users] Requesting contact with users running PassSync AD -> FreeIPA
On 11/05/2013 02:05 PM, EP wrote: > Thanks for your answers so far. > > A question about cross realm trusts though: This requires the AD servers to > be available when doing a login via FreeIPA, right? Or is FreeIPA caching > information from AD? > > We don't want Linux logins to be dependent on a windows server being > available, that won't end well :) Yes it is because the authentication actually happens against the domain the user belongs to. If user is in AD then AD will authenticate the user and then the tickets will be exchanged between domains to allow user to access services in other domains. If you want users to be in IPA then you would have to sync. > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD -> FreeIPA
Thanks for your answers so far. A question about cross realm trusts though: This requires the AD servers to be available when doing a login via FreeIPA, right? Or is FreeIPA caching information from AD? We don't want Linux logins to be dependent on a windows server being available, that won't end well :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD -> FreeIPA
On 11/05/2013 10:45 AM, EP wrote: > Hi, > > They had a phone session with Red Hat first line support, so they are feeling > quite safe with the solution itself (in theory). > > What they're after now is more or less some end user testimonials... perhaps > a few of you PassSync users out there could write a couple of lines about > your experience with the product. Like how long you've used it, size if your > organization, general good or bad experience... I believe that could calm the > nervous minds of our AD admins :) > > //EP > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users We find it extremely difficult to get such testimonials and the reason is that it is a part of the core security infra and people do not like to talk about it or not legally allowed to. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD -> FreeIPA
On 11/05/2013 08:45 AM, EP wrote: Hi, They had a phone session with Red Hat first line support, so they are feeling quite safe with the solution itself (in theory). What they're after now is more or less some end user testimonials... perhaps a few of you PassSync users out there could write a couple of lines about your experience with the product. Like how long you've used it, size if your organization, general good or bad experience... I believe that could calm the nervous minds of our AD admins :) Note: this is why the preferred solution going forward is cross domain trust between FreeIPA and AD - no passwords to sync, no packages to install on "precious" AD machines. //EP ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD -> FreeIPA
Hi, They had a phone session with Red Hat first line support, so they are feeling quite safe with the solution itself (in theory). What they're after now is more or less some end user testimonials... perhaps a few of you PassSync users out there could write a couple of lines about your experience with the product. Like how long you've used it, size if your organization, general good or bad experience... I believe that could calm the nervous minds of our AD admins :) //EP ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD -> FreeIPA
On 11/05/2013 08:05 AM, EP wrote: Hi, I'm pushing to get password and user synchronization from AD to FreeIPA at the company I work for. Our windows administrators are very nervous about installing the PassSync service on their AD-controllers, and have asked me to provide a reference contact, meaning someone they could ask some questions about the service. Just send the questions to freeipa-users. I'm sure we would all be curious to see what the questions are. An existing user of PassSync might not want to be pulled into an open ended Q&A session and troubleshooting session, but would probably be willing to answer a few public questions. I have asked Red Hat support about this, but they point me to their "upstream project". Are you a Red Hat Customer? If so, please contact me by direct email. I would like to follow up with you privately about the extent of your experience with support. So would anyone in here be willing to answer (by email) a few questions and concerns that our windows admins have regarding synchronization from AD? Just send them to the freeipa-users list? Long shot, but worth a try :) Please give me a shout on qwe...@melt.se if you're willing to help out. Thanks! Best regards, EP ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users