[Freeipa-devel] Multiple Active Directory Domains authentication - is freeIPA my solution?
Rich Megginson
rmeggins at redhat.com
Mon Aug 18 14:14:50 UTC 2008
Alex Davies wrote:
> Hi Everyone,
>
> I'm trying to find a open source solution to authenticate a bunch of
> Linux machines (and, ideally, network devices etc.) against Active
> Directory. The complication we have is that my organization has more
> than one Active Directory Domain, each hosted on its own collection of
> domain controllers. In windows, users select the relevant domain when
> they login to a PC and everyone is happy [there is a trust
> relationship between our domains]. I can not for the life of me get
> this to work properly on Linux.
>
> We setup Fedora Directory Server, and passsync on all our (very very
> many) domain controllers. We then setup multiple replication
> agreements (one per AD domain), and this seems to work - most of the
> time however sometimes passwords are not synced.
Can you provide passsync logs or Fedora DS logs showing failures?
> We then used NIS
> netgroups to authenticate access to machines, and finally a centrally
> managed sudoers file (via Satellite) to allow users who have logged in
> to work as role accounts if required (such as "oracle").
>
> This is a giant mess; adding a machine or user takes a very long time
> and requires changes in three places. We are unable to get a FDS
> replica to actually work. A small but significant number of password
> changes do not sync AD->LDAP. If a user is disabled in AD, this does
> not appear in FDS. I could go on, but the summary is we really really
> hate this setup.
>
> Can I ask if freeIPA will help me here? If not, can anyone point me in
> the direction of something that will? I suspect that the multiple AD
> domains thing will be a problem.
>
> Many thanks,
>
> Alex
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080818/623297c6/attachment.bin>
More information about the Freeipa-devel
mailing list