4:33 p.m.
hi Rob,
largely because Okta has no support for basic things like uidNumber and gidNumber. I know
that when bound to AD it uses one of the AD's SIDs to generate these attributes and
keep them consistent between installations, but have no idea how SSSD would do that
against an LDAP server as "vanilla" as Okta's. FreeIPA also offers things
like sudoer policy.
thanks,
Jarett
On Mar 29, 2022, at 4:30 PM, Rob Crittenden
<rcritten(a)redhat.com> wrote:
Jarett DeAngelis via FreeIPA-users wrote:
> hi everyone,
>
> I am trying (with great difficulty!) to do authn/authz both for an HPC cluster and a
number of other Linux machines against our Okta directory service. Okta offers their
"Advanced Server Access" product, which is *bonkers* expensive for the ~6 or 7
machines we need to auth with at $10K a year, and Aquera has a plugin for FreeIPA they
maintain which will auth FreeIPA against Okta for another $10K a year. this is a small HPC
lab and we're just trying to avoid as much credential proliferation as we can.
>
> my hope is that FreeIPA can be configured to auth against Okta's "built
in" LDAP service, which is fairly minimal but will validate passwords and return some
basic information in response to queries like group membership. then I can join machines
to FreeIPA, which will in turn auth against Okta to allow users to log in. is this
possible?
I'm not sure where IPA fits in here. Why use IPA as a middle-man for
authentication? SSSD has an LDAP backend that might work.
rob