[Freeipa-users] Re: 389-ds and AD integration questions

Rich Megginson rmeggins at redhat.com
Mon Sep 21 16:56:49 UTC 2009 

> Dear FreeIPA community,
>
> I have a bunch of requirements that I am looking forward from 
> ipa-server. Please clarify if these are possible
>
> Background: We are planning to deploy 389-ds(formerly Fedora DS) as 
> our core ldap server in a Multi-Master Replication scenario. We will 
> be having set of slave server to cater at different locations. We want 
> to integrate password authentication with MS Active Directory. 389-DS 
> offers PAM Pass-thru plugin, but it has been quite difficult to 
> configure the parameters and kerberos to get that working. Some of the 
> features I am looking are
>
>    1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active
>       Directory for password.
>
If you have PAM Kerberos auth working, you should be able to use PAM 
Pass thru. I don't know the details though, but I do know that this is 
one of the primary use cases, to allow simple bind (username/password 
auth) clients to use their kerberos password.
>
>   1.
>
>
>    2. Syncing new users automatically between AD and 389-ds including
>       UNIX attributes in AD(after installing SFU 3.5). Though Windows
>       Sync agreement does it, we are looking on a finer control over
>       the OU’s and objectclass/attributes imported.
>
The IPA winsync plugin will add missing posix attributes when syncing a 
new user entry from AD to IPA. It will not keep them in sync.
>
>   1.
>
>
>    2. Password change in unix world reflect on AD,
>
Yes. IPA winsync will sync password changes from IPA to AD.
>
>   1.
>
>
>    2. Netgroups, adding hosts to the Directory server and have a
>       inventory withhostname and IP address and/or perform basic host
>       tasks.
>
Winsync will not sync the netgroups schema.
>
>   1.
>
>
>    2. Create ACI’s such that support team has only access to create
>       ldap accounts and update group memberships.
>    3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0?
>       Any issues anticipated?
>
>
> I am still going through the vast Admin Guide, release notes, user 
> config guide to get these answers and know more. Also let me know if 
> it is worth waiting till 2.0
>
> Thanks,
> Prashanth

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090921/58f74bf1/attachment.bin>

More information about the Freeipa-users mailing list