hi Rob, largely because Okta has no support for basic things like uidNumber and gidNumber. I know that when bound to AD it uses one of the AD's SIDs to generate these attributes and keep them consistent between installations, but have no idea how SSSD would do that against an LDAP server as "vanilla" as Okta's. FreeIPA also offers things like sudoer policy.
thanks, Jarett > On Mar 29, 2022, at 4:30 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > Jarett DeAngelis via FreeIPA-users wrote: >> hi everyone, >> >> I am trying (with great difficulty!) to do authn/authz both for an HPC >> cluster and a number of other Linux machines against our Okta directory >> service. Okta offers their "Advanced Server Access" product, which is >> *bonkers* expensive for the ~6 or 7 machines we need to auth with at $10K a >> year, and Aquera has a plugin for FreeIPA they maintain which will auth >> FreeIPA against Okta for another $10K a year. this is a small HPC lab and >> we're just trying to avoid as much credential proliferation as we can. >> >> my hope is that FreeIPA can be configured to auth against Okta's "built in" >> LDAP service, which is fairly minimal but will validate passwords and return >> some basic information in response to queries like group membership. then I >> can join machines to FreeIPA, which will in turn auth against Okta to allow >> users to log in. is this possible? > > I'm not sure where IPA fits in here. Why use IPA as a middle-man for > authentication? SSSD has an LDAP backend that might work. > > rob > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
