> On Thu, Jan 19, 2012 at 11:42:25AM +0100, David Juran wrote: > > Hello > > > > I have a case where a customer would like to authenticate users from two > > different AD domains. Since IPA (currently) can't sync with multiple AD > > domains, I was thinking of setting up two independent IPA servers that > > sync with one AD each and then configure the clients with multiple sssd > > authentication domains to authenticate users from both IPA:s. > > > > Would this work? Does anyone foresee any difficulties? > > From SSSD point of view it would, it's just two different domains. > > You'd have to be careful about referencing the users by name, though, > and use a fully qualified name (user@domain) to specify the particular > users. Otherwise, all the searches would iterate over domains until they > find a hit, which may be slow (SSSD ticket #843) and not return the desired > result if there are users with the same name in both domains. > > I'm not aware of problems with duplicating to AD servers to two IPA > servers, but this question would be better answered on the freeipa-users > mailing list (freeipa-us...@redhat.com)
Just one suggestion here: If the point is just to authenticate users from two different AD domains, why not configure SSSD to communicate directly with those AD servers? Is there any other reason why to use IPA as the middle-man? Jan
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
