Re: [Freeipa-users] Free IPA and Google Apps
Awesome... Can ipsilon be installed on the same server as FreeIPA? On Mon, May 19, 2014 at 7:16 AM, Simo Sorce s...@redhat.com wrote: On Sun, 2014-05-18 at 20:40 -0500, Chris Whittle wrote: Anything new on ipsilon? I released 0.2.3: https://fedorahosted.org/ipsilon/ It is still a bit rough on the edges, but can be used. Simo. On Fri, Apr 25, 2014 at 9:18 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: On 04/25/2014 09:51 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: On 04/25/2014 08:39 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Simo, how much Ipsilon is ready for a POC like this? I understand it is probably somewhere between alpha and beta quality but it might be a good exercise to try to set it up for a real use case. What do you think? It can be tried, but I need to write some documentation on how to set it up first :-) Simo. Hint-hint, nudge-nudge :-) I know, I know. I got done with lasso and mod_auth_mellon patches, now I can go back to Ipsilon. If Jan gives me the go, I will cut a first release and start writing instruction, file for Fedora packages and all that Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
On Tue, 2014-05-20 at 13:33 -0500, Chris Whittle wrote: Awesome... Can ipsilon be installed on the same server as FreeIPA? It should be possible, although I always used a separate server for my tests. Btw, use at least version 0.2.4, there are important bugs fixed there, although not all of the known ones are, I am planning 0.2.5 in a few days :-) Simo. On Mon, May 19, 2014 at 7:16 AM, Simo Sorce s...@redhat.com wrote: On Sun, 2014-05-18 at 20:40 -0500, Chris Whittle wrote: Anything new on ipsilon? I released 0.2.3: https://fedorahosted.org/ipsilon/ It is still a bit rough on the edges, but can be used. Simo. On Fri, Apr 25, 2014 at 9:18 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: On 04/25/2014 09:51 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: On 04/25/2014 08:39 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Simo, how much Ipsilon is ready for a POC like this? I understand it is probably somewhere between alpha and beta quality but it might be a good exercise to try to set it up for a real use case. What do you think? It can be tried, but I need to write some documentation on how to set it up first :-) Simo. Hint-hint, nudge-nudge :-) I know, I know. I got done with lasso and mod_auth_mellon patches, now I can go back to Ipsilon. If Jan gives me the go, I will cut a first release and start writing instruction, file for Fedora packages and all that Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
On Sun, 2014-05-18 at 20:40 -0500, Chris Whittle wrote: Anything new on ipsilon? I released 0.2.3: https://fedorahosted.org/ipsilon/ It is still a bit rough on the edges, but can be used. Simo. On Fri, Apr 25, 2014 at 9:18 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: On 04/25/2014 09:51 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: On 04/25/2014 08:39 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Simo, how much Ipsilon is ready for a POC like this? I understand it is probably somewhere between alpha and beta quality but it might be a good exercise to try to set it up for a real use case. What do you think? It can be tried, but I need to write some documentation on how to set it up first :-) Simo. Hint-hint, nudge-nudge :-) I know, I know. I got done with lasso and mod_auth_mellon patches, now I can go back to Ipsilon. If Jan gives me the go, I will cut a first release and start writing instruction, file for Fedora packages and all that Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
Anything new on ipsilon? On Fri, Apr 25, 2014 at 9:18 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: On 04/25/2014 09:51 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: On 04/25/2014 08:39 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Simo, how much Ipsilon is ready for a POC like this? I understand it is probably somewhere between alpha and beta quality but it might be a good exercise to try to set it up for a real use case. What do you think? It can be tried, but I need to write some documentation on how to set it up first :-) Simo. Hint-hint, nudge-nudge :-) I know, I know. I got done with lasso and mod_auth_mellon patches, now I can go back to Ipsilon. If Jan gives me the go, I will cut a first release and start writing instruction, file for Fedora packages and all that Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
On 04/25/2014 01:59 AM, Chris Whittle wrote: I am wanting to use Free IPA as the authentication source for Google Apps. I can't seem to find any documentation on how to accomplish this. Anyone have any experience they would be willing to share? Or install is on CentOS 6.5 fyi. I did a brief googling and it seems to me that Google Apps should be capable of LDAP based auth/synchronization: http://www.google.com/support/enterprise/static/gapps/docs/admin/en/gads/admin/config_ldap_auth.html Even better solution would be probably to use SAML: https://developers.google.com/google-apps/sso/saml_reference_implementation by utilizing a project Ipsilon that Simo (CCed) is working on. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. Does it just allow them to SSO using their LDAP credentials? If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? On Fri, Apr 25, 2014 at 3:03 AM, Martin Kosek mko...@redhat.com wrote: On 04/25/2014 01:59 AM, Chris Whittle wrote: I am wanting to use Free IPA as the authentication source for Google Apps. I can't seem to find any documentation on how to accomplish this. Anyone have any experience they would be willing to share? Or install is on CentOS 6.5 fyi. I did a brief googling and it seems to me that Google Apps should be capable of LDAP based auth/synchronization: http://www.google.com/support/enterprise/static/gapps/docs/admin/en/gads/admin/config_ldap_auth.html Even better solution would be probably to use SAML: https://developers.google.com/google-apps/sso/saml_reference_implementation by utilizing a project Ipsilon that Simo (CCed) is working on. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
Thank you Simo! Does anyone have any more info/experience on using GADS and FreeIPA that they would be willing to share? On Fri, Apr 25, 2014 at 7:39 AM, Simo Sorce sso...@redhat.com wrote: On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
On 04/25/2014 09:51 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: On 04/25/2014 08:39 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Simo, how much Ipsilon is ready for a POC like this? I understand it is probably somewhere between alpha and beta quality but it might be a good exercise to try to set it up for a real use case. What do you think? It can be tried, but I need to write some documentation on how to set it up first :-) Simo. Hint-hint, nudge-nudge :-) -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Free IPA and Google Apps
On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: On 04/25/2014 09:51 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: On 04/25/2014 08:39 AM, Simo Sorce wrote: On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: Thanks Martin, I found a few notes on FreeIPA and GADS but most were people saying not to do it on principal but nothing saying if it's possible or not. I like the SAML option, including the mysterious ipsilon (Is there anything more than the git repo yet?), but wonder how much control it has. At the moment no control at all. Does it just allow them to SSO using their LDAP credentials? Yes. If I disable a user in LDAP does it only recognize that only during login or is it smart enough to kill their Google Apps sessions and make them login again? At the moment no, in future, perhaps we can develop a plugin that will call a SSO logout to the remote applications the user logged into, but this will require the server to be more stateful. This feature is not available in the current code. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Simo, how much Ipsilon is ready for a POC like this? I understand it is probably somewhere between alpha and beta quality but it might be a good exercise to try to set it up for a real use case. What do you think? It can be tried, but I need to write some documentation on how to set it up first :-) Simo. Hint-hint, nudge-nudge :-) I know, I know. I got done with lasso and mod_auth_mellon patches, now I can go back to Ipsilon. If Jan gives me the go, I will cut a first release and start writing instruction, file for Fedora packages and all that Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users