[Freeipa-users] Re: 389-ds and AD integration questions
Rich Megginson
rmeggins at redhat.com
Mon Sep 21 16:56:49 UTC 2009
> Dear FreeIPA community,
>
> I have a bunch of requirements that I am looking forward from
> ipa-server. Please clarify if these are possible
>
> Background: We are planning to deploy 389-ds(formerly Fedora DS) as
> our core ldap server in a Multi-Master Replication scenario. We will
> be having set of slave server to cater at different locations. We want
> to integrate password authentication with MS Active Directory. 389-DS
> offers PAM Pass-thru plugin, but it has been quite difficult to
> configure the parameters and kerberos to get that working. Some of the
> features I am looking are
>
> 1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active
> Directory for password.
>
If you have PAM Kerberos auth working, you should be able to use PAM
Pass thru. I don't know the details though, but I do know that this is
one of the primary use cases, to allow simple bind (username/password
auth) clients to use their kerberos password.
>
> 1.
>
>
> 2. Syncing new users automatically between AD and 389-ds including
> UNIX attributes in AD(after installing SFU 3.5). Though Windows
> Sync agreement does it, we are looking on a finer control over
> the OU’s and objectclass/attributes imported.
>
The IPA winsync plugin will add missing posix attributes when syncing a
new user entry from AD to IPA. It will not keep them in sync.
>
> 1.
>
>
> 2. Password change in unix world reflect on AD,
>
Yes. IPA winsync will sync password changes from IPA to AD.
>
> 1.
>
>
> 2. Netgroups, adding hosts to the Directory server and have a
> inventory withhostname and IP address and/or perform basic host
> tasks.
>
Winsync will not sync the netgroups schema.
>
> 1.
>
>
> 2. Create ACI’s such that support team has only access to create
> ldap accounts and update group memberships.
> 3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0?
> Any issues anticipated?
>
>
> I am still going through the vast Admin Guide, release notes, user
> config guide to get these answers and know more. Also let me know if
> it is worth waiting till 2.0
>
> Thanks,
> Prashanth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090921/58f74bf1/attachment.bin>
More information about the Freeipa-users
mailing list