On Tue, Jan 31, 2017 at 03:45:29PM +0100, Michaël Van de Borne wrote: > Hello list, > > I know this is a devel list, but I didn't find a user list. > > Here's my situation: > I'm installing Hadoop for a customer, and the Hadoop cluster is secured with > Kerberos. I used FreeIPA as a KDC. > The customer uses openLDAP as a directory server. > > Fo now, our solution is to copy the whole openLDAP user base to FreeIPA, and > then use FreeIPA for the identification and authorization (all the keytab > stuff). > But keeping openLDAP and FreeIPA in sync is a nightmare, and I was wondering > something: > Would it be possible to configure SSSD to simultaneously target the openLDAP > server to identify a user, and the FreeIPA server to get the tickets? > That way, we can avoid having to keep openLDAP and FreeIPA in sync...
In general this is possible, you can use the LDAP id_provider and the generic KRB5 auth_provider. But in order to get a TGT from FreeIPA there must be a user entry for this user in FreeIPA, so you still have to sync/add all new users to FreeIPA. So I wonder if this would be an improvement at all? bye, Sumit > > All ideas are welcome!! > > Thank you guys, > > Cheers, > > m. > > _______________________________________________ > sssd-devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
