On 02/17/2015 04:34 PM, Steven Jones wrote:
"I have been informed that all computer users on our campus must now
authenticate off of the University's Active Directory server,
including all Linux machines."
dictated by a clueless Windows ***** no doubt, ***sigh*** Here we are
keeping both separate as AD is so bad security wise, but want some low
risk trusts for certain groups of machines (common desktops).
If the expectation is its directly off the AD then you dont need IPA
at all. However without an expensive commercial addon per Linux
server/desktop you wont be able to do much management and control.
this has security implications, if you had say a finance or HR server
without these commercial tools you may find any AD user could get on
them, not what you would want.
So you have 2 options in keeping IPA,
a) trusts and you should be able keep your users.
b) winsync and passync and all the AD users are synced over to IPA.
Existing users stay as is, the ones in AD but not in IPA get pulled
over to IPA.
***maybe***
c) You might be able to do both winsync and trusts at the same time
then that is simpler provisioning. ie a user gets created in AD and
automatically gets created in IPA ready for you to put in the user
group you want.
I am not sure this is the best solution really.
Trust and sync do not help each other. The fact that you have trust does
not help you to provision users the way you describe.
I'd like to do c) which I am looking at at present, if I ever get IPA
on RHEL6.6 upgraded to RHEL7.1!
regards
Steven J
------------------------------------------------------------------------
*From:* freeipa-users-boun...@redhat.com
<freeipa-users-boun...@redhat.com> on behalf of David Fitzgerald
<david.fitzger...@millersville.edu>
*Sent:* Wednesday, 18 February 2015 10:05 a.m.
*To:* freeipa-users@redhat.com
*Subject:* [Freeipa-users] question about Active Directory authentication
Hello,
I am currently running an IPA 3.3 server on Centos 7. I have 70 IPA
client machines running Scientific Linux 6.6 and 150 users. User
directories are auto-mounted from a Centos 7 file server.
I have been informed that all computer users on our campus must now
authenticate off of the University's Active Directory server,
including all Linux machines. I have been looking through the IPA
documentation and am getting myself confused and not completely
understanding what needs to be done, thus I have some questions.
1.The docs talk about setting up a trust between the IPA server and
the AD server. Will I need to change all of the IPA clients as well
as the IPA server, or do I only need change the server and not have to
touch the clients?
2.Do I even need to set up a full trust relationship just to
authenticate my users with AD?
3.Since I already have 150 users, will I have to delete their IPA
accounts before setting up the trust? W
Sorry if my questions are a bit basic, but I need some guidance to get
me started.
Thanks!
Dave
++++++++++++++++++++++++++++++
David Fitzgerald
Department of Earth Sciences
Millersville University
Millersville, PA 17551
Phone: 717-871-2394
E-Mail: david.fitzger...@millersville.edu
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project