[Freeipa-users] RedHat IdM Active Directory Integration

Sumit Bose sbose at redhat.com
Wed Oct 7 08:51:17 UTC 2015


On Tue, Oct 06, 2015 at 01:48:21PM -0500, Lesley Kimmel wrote:
> Hi all;
> 
> I'm working an initiative to centralize user accounts in Active Directory.
> We have a large RHEL (6+) footprint and want to manage these as well. I am
> a Red Hat Engineer on the project and, while it is possible to integrate
> all of the RHEL clients directly to AD, I have a nagging feeling that using
> IdM as an intermediary would be a good approach. However, I have never
> implemented it and experienced the solidity of integration with AD so I
> can't formulate a solid argument at this point.
> 
> My primary belief is that using IdM would allow for the Unix administrators
> better control over their environment. However, even in that case we also
> have Satellite so we likely wouldn't use IdM for policy centralization. I'm
> curious whether it is possible to store all user, group and system objects
> in Active Directory and then allow the configuration of host based access
> control policies from IdM using those AD objects. That might be one

Does https://www.youtube.com/watch?v=sQnNFJOzwa8 help you for a start?
You can find additional details about HBAC on the IdM documentation at
https://access.redhat.com/articles/1586893 .

> argument for it. As an add-on to that question how is the HBAC actually
> implemented in IdM? It doesn't simply push down a policy for pam_access
> does it?

no, SSSD on the clients read and evaluate the HBAC rules and grants or
denies access accordingly.

> 
> Also, if users were configured with Smart Card information in AD could
> these users authenticate to Linux clients with IdM as an intermediary?

Initial Smart Card support will be available in RHEL-7.2, but only for
local authentication. In the next releases we will improve this. But is
it open to what extend those features will be made available in RHEL6.

Btw, authentication will always go directly to the right server, AD in
your case, and not use IdM as a man-in-the-middle (only in special cases
where legacy clients are involved). 

HTH

bye,
Sumit

> 
> Thanks ahead of time!
> 
> -LK

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project




More information about the Freeipa-users mailing list