question about the scope of FreeIPA LDAPS service - can it authenticate AD trust users or just local IPA users?
4:07 p.m.
Dumb question ...
For use cases (temporary/ephemeral/auto-scaling servers) where we can't
do a full ipa-client-install on a managed node is it possible to use the
LDAP service on FreeIPA to check a username and password for an AD-trust
user?
I've been fooling around with making AWS Parallelcluster nodes LDAP
clients of a FreeIPA environment and it actually works really well with
users and groups that are local to FreeIPA; it's quite a nice solution
actually and solves a consistency problem for some users and groups we
need to persist as HPC grids are launched and destroyed.
Was wondering idly if the LDAP service extended to being able to
authenticate a user that exists within an AD-trust. It does not seem to
work out of the box but I was wondering if a change of the LDAP bind DN
or other settings would allow this to work?
Wanted to ask if this was even possible before I spent more time working
on my ldap configs!
Regards
Chris
1:56 p.m.
New subject: question about the scope of FreeIPA LDAPS service - can it authenticate AD trust users or just local IPA users?
Yes, it is possible to do so. It will require you to turn on the compatibility tree and
point to do that dn. More than likely you'll need to run `ipa-adtrust-install
--enable-compat` on all IPA servers that are trust controllers/agents. Once you do so,
you'll get a cn=compat,... you can use.
Users: cn=users,cn=compat,dc=ipa,dc=example,dc=com
Groups: cn=groups,cn=compat,dc=ipa,dc=example,dc=com
What will happen is all IPA users and groups typically show up immediately. But the AD
users/groups will not until there is a query for them (eg ldapsearch or bind attempt),
which should be sufficient. In my previous cases of using the compat tree, it was for
Solaris, FreeBSD, and RHEL 5, and I didn't run into too many issues.
--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
4:27 p.m.
New subject: question about the scope of FreeIPA LDAPS service - can it authenticate AD trust users or just local IPA users?
Fantastic, thanks so much. Will test ASAP on my end. Thanks confirming
that this is possible!
Chris
Louis Abel via FreeIPA-users
<mailto:freeipa-users@lists.fedorahosted.org>
November 5, 2020 at 2:56 PM
Yes, it is possible to do so. It will require you to turn on the
compatibility tree and point to do that dn. More than likely you'll
need to run `ipa-adtrust-install --enable-compat` on all IPA servers
that are trust controllers/agents. Once you do so, you'll get a
cn=compat,... you can use.
Users: cn=users,cn=compat,dc=ipa,dc=example,dc=com
Groups: cn=groups,cn=compat,dc=ipa,dc=example,dc=com
What will happen is all IPA users and groups typically show up
immediately. But the AD users/groups will not until there is a query
for them (eg ldapsearch or bind attempt), which should be sufficient.
In my previous cases of using the compat tree, it was for Solaris,
FreeBSD, and RHEL 5, and I didn't run into too many issues.
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&...
Virus-free. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&...
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Chris Dagdigian <mailto:dag@sonsorol.org>
November 3, 2020 at 5:07 PM
Dumb question ...
For use cases (temporary/ephemeral/auto-scaling servers) where we
can't do a full ipa-client-install on a managed node is it possible to
use the LDAP service on FreeIPA to check a username and password for
an AD-trust user?
I've been fooling around with making AWS Parallelcluster nodes LDAP
clients of a FreeIPA environment and it actually works really well
with users and groups that are local to FreeIPA; it's quite a nice
solution actually and solves a consistency problem for some users and
groups we need to persist as HPC grids are launched and destroyed.
Was wondering idly if the LDAP service extended to being able to
authenticate a user that exists within an AD-trust. It does not seem
to work out of the box but I was wondering if a change of the LDAP
bind DN or other settings would allow this to work?
Wanted to ask if this was even possible before I spent more time
working on my ldap configs!
Regards
Chris
1268
days inactive
1270
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Chris Dagdigian -
Louis Abel