7:08 a.m.
Hello all,
We currently have Red Hat IDM implemented on our campus local network. It has a one-way
trust with our Active Directory and all of our Linux systems that live in our network use
IDM for auth/authz. We are looking to start deploying our linux images into AWS and want
to use our Red Hat IDM for auth control there as well and would like, if possible, to
remove any dependencies on our local network for systems that live in AWS in doing so.
With that being said, I would like to verify my understanding of how auth/authz works with
IDM and Active Directory. A client system will query a freeipa server in order to get
HBAC policies, sudo rules/commands, authorization for accounts to use certain services,
and user account/group information. The client system will authenticate the user, whether
for login or sudo/su, directly to Active Directory without going through the freeipa
server. Also, the freeipa servers will query AD for user account/group information if
it’s not already cached on the freeipa server. Is my understanding here correct? If not,
please enlighten me on where my misunderstanding is.
So, if my understanding as outlined above is correct, then to remove any depency on our
local network AD and FreeIPA/IDM for clients that live in AWS, we would need IDM servers
and Active Directory servers in AWS for the clients to use, correct? If that is the case,
is Azure Active Directory (AAD) a usable option in this case? Is there a way to specify
for clients to use the IDM servers and AD that are in AWS first, before attempting to use
the ones on our local network? Is there a way to specify for FreeIPA/IDM servers to use
the AD in AWS before attempting to use the ones on our local network?
I appreciate anyone who can verify or correct what I have above.
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
5:52 p.m.
Just refreshing this to see if anyone maybe had some input.
Thanks!
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
On Jan 21, 2021, at 8:08 AM, Jones, Bob (rwj5d) via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hello all,
We currently have Red Hat IDM implemented on our campus local network. It has a one-way
trust with our Active Directory and all of our Linux systems that live in our network use
IDM for auth/authz. We are looking to start deploying our linux images into AWS and want
to use our Red Hat IDM for auth control there as well and would like, if possible, to
remove any dependencies on our local network for systems that live in AWS in doing so.
With that being said, I would like to verify my understanding of how auth/authz works
with IDM and Active Directory. A client system will query a freeipa server in order to
get HBAC policies, sudo rules/commands, authorization for accounts to use certain
services, and user account/group information. The client system will authenticate the
user, whether for login or sudo/su, directly to Active Directory without going through the
freeipa server. Also, the freeipa servers will query AD for user account/group
information if it’s not already cached on the freeipa server. Is my understanding here
correct? If not, please enlighten me on where my misunderstanding is.
So, if my understanding as outlined above is correct, then to remove any depency on our
local network AD and FreeIPA/IDM for clients that live in AWS, we would need IDM servers
and Active Directory servers in AWS for the clients to use, correct? If that is the case,
is Azure Active Directory (AAD) a usable option in this case? Is there a way to specify
for clients to use the IDM servers and AD that are in AWS first, before attempting to use
the ones on our local network? Is there a way to specify for FreeIPA/IDM servers to use
the AD in AWS before attempting to use the ones on our local network?
I appreciate anyone who can verify or correct what I have above.
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
10:06 a.m.
Hi there,
you have several options bounded to your security levels/standards. I think
someone with more knowledge would know a better idea for sure... but I
think you are going to need to authenticate somehow from AWS to your
campus(IPA&AD) directly opening and publishing the needed ports, or via a
couple VM's(1 AD + 1 IPA) in AWS only reachable by those systems you want
to authenticate. The second option sounds more secure.
Things to consider would be: new IP ranges+DNS syncing if you want an A,
PTR records matching and stuff and something like SSO which uses Kerberos,
which relies on correct DNS setup if you want to avoid a headache.
AFAIK, it's a setup still in research phase:
https://bugzilla.redhat.com/show_bug.cgi?id=1419524
regards,
El dom, 24 ene 2021 a las 20:52, Jones, Bob (rwj5d) via FreeIPA-users (<
freeipa-users(a)lists.fedorahosted.org>) escribió:
Just refreshing this to see if anyone maybe had some input.
Thanks!
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
> On Jan 21, 2021, at 8:08 AM, Jones, Bob (rwj5d) via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Hello all,
>
> We currently have Red Hat IDM implemented on our campus local network.
It has a one-way trust with our Active Directory and all of our Linux
systems that live in our network use IDM for auth/authz. We are looking to
start deploying our linux images into AWS and want to use our Red Hat IDM
for auth control there as well and would like, if possible, to remove any
dependencies on our local network for systems that live in AWS in doing so.
>
> With that being said, I would like to verify my understanding of how
auth/authz works with IDM and Active Directory. A client system will query
a freeipa server in order to get HBAC policies, sudo rules/commands,
authorization for accounts to use certain services, and user account/group
information. The client system will authenticate the user, whether for
login or sudo/su, directly to Active Directory without going through the
freeipa server. Also, the freeipa servers will query AD for user
account/group information if it’s not already cached on the freeipa
server. Is my understanding here correct? If not, please enlighten me on
where my misunderstanding is.
>
> So, if my understanding as outlined above is correct, then to remove any
depency on our local network AD and FreeIPA/IDM for clients that live in
AWS, we would need IDM servers and Active Directory servers in AWS for the
clients to use, correct? If that is the case, is Azure Active Directory
(AAD) a usable option in this case? Is there a way to specify for clients
to use the IDM servers and AD that are in AWS first, before attempting to
use the ones on our local network? Is there a way to specify for
FreeIPA/IDM servers to use the AD in AWS before attempting to use the ones
on our local network?
>
> I appreciate anyone who can verify or correct what I have above.
>
> Thanks,
> —
> Bob Jones
> Lead Linux Services Engineer
> ITS ECP - Linux Services
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1169
days inactive
1184
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Jones, Bob (rwj5d) -
Juan Pablo