On ti, 26 huhti 2022, Mike Mercier wrote:
Hi Alexander,
On Thu, 7 Apr 2022 at 09:30, Alexander Bokovoy <aboko...@redhat.com> wrote:
On to, 07 huhti 2022, Mike Mercier wrote:
>Hi,
>
>The following microsoft document
>
>
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/sync-ldap
>
>states it is possible (with a warning) to use Azure AD Connect to
>synchronize with LDAP. I figured since FreeIPA was using 389ds in the
>background it might be possible.
Well, I am not sure what it going to give you in terms of a usability of
this solution. Nobody on my team ever tested it so it is definitely not
supported in RHEL IdM case.
This link describes Microsoft instructions:
https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap
I'd note, though, that in case you'd try to follow their instructions,
you would need to enable unhashed passwords to be stored in the
changelog. See nsslapd-unhashed-pw-switch option in RHDS documentation.
As far as I understand, this would give you ability to use IPA accounts
in Azure AD IdP, right? E.g. keep users in IPA, let them login to Azure
AD protected applications?
What I was specifically hoping for was the following:
1. Store all user accounts/groups in Azure AD
2. Have the Azure AD information synchronized with FreeIPA
3. Have the ability to use the synchronized information with FreeIPA
a. As an example, delegate a user to manage a specific part of the DNS
hierarchy
But with your comment below, this doesn't sound possible?
As I said, we did not test MIM at all. If you have any success or
failure with it in your experiments, please report back here.
I should note that LDAP sync as described above is for import from LDAP
server to Azure AD, not the other way around. At least, that's what
documentation above tells about.
For pushing changes from Azure AD to an LDAP server they have recently
unveiled a different service that requires premium licensing in Azure:
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/on-premises-ldap-connector-configure
In either case, I have no first hands experience. I am particularly
interested in how one can define mapping between classes, attributes,
and tree layouts. IPA uses its own directory information tree layout,
own object classes and attributes. It is not enough to simply push AD
objects directly to IPA, they will not be usable.
Judging by the on-premises LDAP connector documentation above, some way
to translate attribute values is present. Obviously, there is a need to
define one for IPA case as there would be no ready-made template.
A simplest way is to make use of a user lifecycle feature in FreeIPA
that allows to keep minimal LDAP objects in a staged user area and
transition them to IPA users from there with IPA commands that know how
to change those LDAP objects into full features IPA users.
We are working on a pair of extensions to FreeIPA to handle somewhat
similar cases to integrate with OAuth 2.0 world. One is to be able to
authenticate IPA users against OAuth 2.0 device authorization grant
endpoint of an external IdP. This works well, SSSD 2.7.0 includes base
part for the Kerberos integration. FreeIPA integration will be
submitted as a pull request upstream in coming weeks. We tested it with
Azure, Google, Keycloak, Okta, Github already. It needs manual creation
of users and association of them with the external IdP but the overall
approach is similar to the existing RADIUS proxy authentication feature.
Another extension is a separate SCIMv2 server and a new plugin to
Keycloak to present it as a user federation store. This one is not yet
ready for production, though. It needs a lot more work, though. Once it is
there, one might try to investigate how to connect Azure AD to it with
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/on-premises-scim-provisioning
This one, it seems, follows the same logic as the on-premises LDAP
connector and requires premium licensing in Azure.
Btw, even without SCIMv2 part, once we get authentication to external
IdP merged in FreeIPA, I would assume you'd be able to just connect that
IPA setup to Azure AD as an OAuth 2.0 end-point and use it. You'd need
to solve sync path more or less the same way but you only need to create
a user account in IPA and set its IdP properties, no need to run any
kind of sophisticated LDAP connector. So, may be Azure AD already has
means to trigger these events to a script or an OAuth 2.0-based app?
Then you can built that to run an equivalent of 'ipa user-add' / 'ipa
user-del'.
This, however, wouldn't give you ability to login to IPA-enrolled
systems by authenticating against Azure AD.
>
>Thank you for the information.
>
>Mike
>
>
>On Thu, 7 Apr 2022 at 08:45, Alexander Bokovoy <aboko...@redhat.com>
wrote:
>
>> On to, 07 huhti 2022, Mike Mercier via FreeIPA-users wrote:
>> >Hello,
>> >
>> >I was wondering if anyone has tried to synchronize FreeIPA to Azure AD
>> >using the 'Azure AD Connect' tool?
>> >
>> >
>>
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect
>>
>> This is not supported.
>>
>> >I know the capability to sync with Active Directory is there, but I *do
>> >not* want to configure a Microsoft AD environment.
>>
>> Azure AD Connect only works with on-premise AD environment, so you are
>> confusing yourself. ;)
>>
>> In short, this tool is irrelevant for FreeIPA as it is built for AD, not
>> IPA.
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
Thanks,
Mike
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
