Re: [Freeipa-users] Quick question regarding modifying attributes

2016-05-02 Thread Alexander Bokovoy 

On Mon, 02 May 2016, Sullivan, Daniel [AAA] wrote:

Hi, Jakub,

Thank you for taking the time to reply to my email.  It is nice to know
that short names will be possible in 7.3.  Unfortunately this will not
address the problem we are trying to resolve; to make a long story
short we are working with a proprietary system called Isilon OneFS (a
scale out NAS platform made by EMC); we are aggregating records from
disparate authenticate sources into a single identity (the mapping
engine is proprietary).   The aggregation logic implemented matches
based on username.  So, we need the user (and group) names in their
short representation served up via either LDAP or NIS, not just via
SSSD.

It sounds like with 7.3 it might be possible to do this if we implement
a NIS server on a client running an SSSD client with id_provider=ipa.

One of the things we are struggling with is enumerating every object
(of either user or group class) of a foreign domain via querying IPA’s
LDAP server.  It is possible to explicitly query entries from remote
domain from my IPA instance via LDAP by querying for
username@f.q.d.n, but it does not seem
possible to query for all user objects in a foreign domain by doing
something such as a wildcard search.  If it is possible to enumerate
all objects from a specific class from a foreign domain (i.e. force the
generation of anchor records), we be interested in the methodology
behind this.

I don't think it would be possible. That's a short answer and if you
want to discuss it, I'd hope someone from your team would be at SambaXP
next week where we could discuss it in more detail.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Quick question regarding modifying attributes

2016-05-02 Thread Sullivan, Daniel [AAA] 
Hi, Jakub,

Thank you for taking the time to reply to my email.  It is nice to know that 
short names will be possible in 7.3.  Unfortunately this will not address the 
problem we are trying to resolve; to make a long story short we are working 
with a proprietary system called Isilon OneFS (a scale out NAS platform made by 
EMC); we are aggregating records from disparate authenticate sources into a 
single identity (the mapping engine is proprietary).   The aggregation logic 
implemented matches based on username.  So, we need the user (and group) names 
in their short representation served up via either LDAP or NIS, not just via 
SSSD.

It sounds like with 7.3 it might be possible to do this if we implement a NIS 
server on a client running an SSSD client with id_provider=ipa.

One of the things we are struggling with is enumerating every object (of either 
user or group class) of a foreign domain via querying IPA’s LDAP server.  It is 
possible to explicitly query entries from remote domain from my IPA instance 
via LDAP by querying for username@f.q.d.n, but it does 
not seem possible to query for all user objects in a foreign domain by doing 
something such as a wildcard search.  If it is possible to enumerate all 
objects from a specific class from a foreign domain (i.e. force the generation 
of anchor records), we be interested in the methodology behind this.

Thank you again for all of your help.

Best,

Dan Sullivan

On Apr 29, 2016, at 2:22 AM, Jakub Hrozek 
> wrote:

On Thu, Apr 28, 2016 at 06:31:20PM +, Sullivan, Daniel [AAA] wrote:
Jakub,

Thank you for your reply.  I did not know that the compat tree was
populated from sssd; Do you have any experience and or recommendation on
using the full_name_format variable of sssd.conf to manipulate how cn’s are
populated in anchor records?  Basically I’m interested in trying to get
IPA to provision anchor records for a trusted domain without the @f.d.q.n
appended to usernames.  It seems like having a custom full_name_format
(sssd.conf) possibly in conjunction with default_domain_suffix (sssd.conf)
might achieve this (have already done some internal testing with partial
results, running into some issues but interested in yours and the groups
opinion on the viability of this).

It's not possible at the moment to change the output format of the sssd
on the server or the format of the entries in the compat tree. Several
pieces of the stack (including the extdom plugin that serves requests to
the sssd clients) rely on the name being qualified at least on the
server side to function properly.

What should be possible starting with 7.3 is to have the shortnames
in the output of SSSD clients with id_provider=ipa.

But I'm not sure legacy clients would work either with shortnames
because with the legacy clients, we typically treat the whole
qualified string as a "name":


[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P.+) <---


the re_expression tells sssd that the whole input string, qualified or not
is a "name", there is no separate IPA and AD domain in these setups. This
is because with the legacy clients, those clients must use the "ldap"
id_provider pointed to the compat tree and the 'ldap' provider, unlike the
'ipa' or 'ad' providers has no notion of trusted domains internally.

So if you want to use shortnames on the output, I think the best bet is
to wait for sssd-1.14 (coming in RHEL-7.3) with the ipa provider.



This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Quick question regarding modifying attributes

2016-04-29 Thread Jakub Hrozek 
On Thu, Apr 28, 2016 at 06:31:20PM +, Sullivan, Daniel [AAA] wrote:
> Jakub,
> 
> Thank you for your reply.  I did not know that the compat tree was
> populated from sssd; Do you have any experience and or recommendation on
> using the full_name_format variable of sssd.conf to manipulate how cn’s are
> populated in anchor records?  Basically I’m interested in trying to get
> IPA to provision anchor records for a trusted domain without the @f.d.q.n
> appended to usernames.  It seems like having a custom full_name_format
> (sssd.conf) possibly in conjunction with default_domain_suffix (sssd.conf)
> might achieve this (have already done some internal testing with partial
> results, running into some issues but interested in yours and the groups
> opinion on the viability of this).

It's not possible at the moment to change the output format of the sssd
on the server or the format of the entries in the compat tree. Several
pieces of the stack (including the extdom plugin that serves requests to
the sssd clients) rely on the name being qualified at least on the
server side to function properly.

What should be possible starting with 7.3 is to have the shortnames
in the output of SSSD clients with id_provider=ipa.

But I'm not sure legacy clients would work either with shortnames
because with the legacy clients, we typically treat the whole
qualified string as a "name":


[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P.+) <---


the re_expression tells sssd that the whole input string, qualified or not
is a "name", there is no separate IPA and AD domain in these setups. This
is because with the legacy clients, those clients must use the "ldap"
id_provider pointed to the compat tree and the 'ldap' provider, unlike the
'ipa' or 'ad' providers has no notion of trusted domains internally.

So if you want to use shortnames on the output, I think the best bet is
to wait for sssd-1.14 (coming in RHEL-7.3) with the ipa provider.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Quick question regarding modifying attributes

2016-04-28 Thread Sullivan, Daniel [AAA] 
Jakub,

Thank you for your reply.  I did not know that the compat tree was populated 
from sssd; Do you have any experience and or recommendation on using the 
full_name_format variable of sssd.conf to manipulate how cn’s are populated in 
anchor records?  Basically I’m interested in trying to get IPA to provision 
anchor records for a trusted domain without the @f.d.q.n appended to usernames. 
 It seems like having a custom full_name_format (sssd.conf) possibly in 
conjunction with default_domain_suffix (sssd.conf) might achieve this (have 
already done some internal testing with partial results, running into some 
issues but interested in yours and the groups opinion on the viability of this).

I appreciate your help.

Best,

Dan

> On Apr 28, 2016, at 11:29 AM, Jakub Hrozek  wrote:
> 
> On Wed, Apr 27, 2016 at 06:58:35PM +, Sullivan, Daniel [AAA] wrote:
>> Hi,
>> 
>> I have a trusted AD domain that I am enumerating object via IPA.  I wanted 
>> to know if i should be able to manipulate the uidNumber and gidNumber stored 
>> in the default ID view via by using the ldapmodify command, for example, for 
>> this DN (not local):
>> 
>> uid=u...@domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu
> 
> The compat tree is autogenerated and can't be modified.
> 
> If you want ID views to be applicable to clients using the compat tree,
> you can define the overrides using the standard IPA CLI tools in the
> "default Trust View", because that one is applied on the server itself
> and the compat tree is autogenerated from the data that SSSD on the
> server delivers.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project



This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Quick question regarding modifying attributes

2016-04-28 Thread Jakub Hrozek 
On Wed, Apr 27, 2016 at 06:58:35PM +, Sullivan, Daniel [AAA] wrote:
> Hi,
> 
> I have a trusted AD domain that I am enumerating object via IPA.  I wanted to 
> know if i should be able to manipulate the uidNumber and gidNumber stored in 
> the default ID view via by using the ldapmodify command, for example, for 
> this DN (not local):
> 
> uid=u...@domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu

The compat tree is autogenerated and can't be modified.

If you want ID views to be applicable to clients using the compat tree,
you can define the overrides using the standard IPA CLI tools in the
"default Trust View", because that one is applied on the server itself
and the compat tree is autogenerated from the data that SSSD on the
server delivers.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] quick question

2014-03-13 Thread Rich Megginson 

On 03/13/2014 11:02 AM, Todd Maugh wrote:

does IDM work with AD 2012 or only 2008


Are you talking about trusts?  Not sure.

Winsync?  The PassSync password sync agent?
I think so, with RHEL 6.5, or perhaps it is RHEL6.6.



-Todd


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] quick question

2014-03-13 Thread Alexander Bokovoy 

On Thu, 13 Mar 2014, Rich Megginson wrote:

On 03/13/2014 11:02 AM, Todd Maugh wrote:

does IDM work with AD 2012 or only 2008


Are you talking about trusts?  Not sure.

Winsync?  The PassSync password sync agent?
I think so, with RHEL 6.5, or perhaps it is RHEL6.6.

Trusts work with 2008, 2008R2, 2012+. Some people made it working with
2003 at the expense of weak crypto.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] quick question

2014-03-13 Thread Alexander Bokovoy 

Todd,

On Thu, 13 Mar 2014, Todd Maugh wrote:

Yes for trusts rhel6.5 with AD 2012 for winsync and password sync


You are mixing two different things.

- winsync/password sync is not trusts. AD accounts are physically cloned to
  IdM on each change at AD side. When logging to IdM with AD account,
  authentication is performed by IdM solely based on the password set in
  IdM.

- trusts is not winsync/password sync. Accounts are always managed at AD
  side and never duplicated in IdM LDAP. When logging to IdM with AD
  account, authentication is performed by AD and validated by IdM based
  on IdM's HBAC rules.

Both approaches have own benefits but they are not mixable.




From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Thursday, March 13, 2014 10:16 AM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] quick question

On 03/13/2014 11:02 AM, Todd Maugh wrote:
does IDM work with AD 2012 or only 2008

Are you talking about trusts?  Not sure.

Winsync?  The PassSync password sync agent?
I think so, with RHEL 6.5, or perhaps it is RHEL6.6.



-Todd




___

Freeipa-users mailing list

Freeipa-users@redhat.commailto:Freeipa-users@redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users