[Freeipa-users] New User - Possible to point authentication to external KDC

Dmitri Pal dpal at redhat.com
Mon Feb 25 07:21:15 UTC 2013 

On 02/23/2013 10:33 PM, Trey Dockendorf wrote:
> I just begun evaluating FreeIPA, after having successfully used 389ds
> for a few months.  The move from 389 ds to FreeIPA is to leverage the
> authorization for host logins and also for simpler management.  The
> University I am deploying at has a campus wide KDC and for security
> and audit reasons I prefer to point my authentication services at that
> Kerberos realm rather than storing passwords.  I have successfully
> implemented this using the 389 ds pam pass through authentication
> plug-in , but have not found any documentation on how to do this same
> thing with FreeIPA.
>
> The complication with doing this is I do not have even a 1 way trust
> with the KDC.  Getting a trust (even 1-way) is very difficult if not
> impossible, but so far I've been able to make PAM work with that
> situation both using local authentication and now 389 ds, both through
> PAM.  Is it possible to have FreeIPA query a remote KDC while still
> being able to fallback to the local password store (ie external users
> not in campus domain).

IPA uses the 389 DS so it might be possible to configure PAM pass
through but there might be implications because if users are not in IPA
you would not get a ticket and since you cant get a ticket you can't use
UI and CLI. You can still bind using LDAP though as you do with the 389.
So to manage IPA you would still have to have a user in IPA. However you
will have two KDCs and I do not know what implications there would be
for the clients, they might be confused.
Frankly you are better off with 389 now untill we make setting up trusts
with other IPAs or MIT KDCs simple. We did that for AD but it requires a
clean DNS setup. I suspect DNS setup will be an issue in any case.   

>
> Thanks
> - Trey
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list