On Tue, 30 May 2023, Chris Cowan via FreeIPA-users wrote:
I work for a large corporation where we like to switch from OpenLDAP
(with Krb5) to RedHat idM. I'll call it
xyz.com
The IAM system we are refactoring was setup more than a decade ago, and
based on OpenLDAP. We had a primary or master server in one location,
with multiple RO replicas, geographically distributed. The user and
group spaces were flat, from an LDAP OU and kerberos 5 perspective.
There was only a single realm. DNS was not used for kerberos, with
krb5.conf files managed so clients are pushed to the closest KDC.
After the system was running, the CIO implemented a corporate SSO using
an Enterprise Directory (which also Open LDAP or some other 389
descendant). There are isolated pockets of AD, and nothing in the TLD.
So, AD is not really used at the Enterprise level.
I'm exploring the replication options using the following assumptions.
- Not using AD, only OpenLDAP, RHDS, or some 389 variant.
- There will be a minimum of 3 but eventually 7 locations with an IdM server deployed.
Each location uses a unique subdomain under
xyz.com
- We allocate uids and gids starting at 100K. We still want it to be flat.
- We would like to use a Pass Through Agent (PTA) to our Enterprise Directory, for this
block of users, if possible, for the LDAP binding.
- We would like have a single kerberos realm for all of these locations.
- There is no expectation that the LDAP and Kerberos passwords will be synced.
I've seen some conversations in the mailing list archives, but nothing
recent. Hopefully, someone can give me some pointers or websites
which discuss replication/deployment scenarios.
I don't think FreeIPA is a good fit to these requirements. I'll list few
points below separately.
FreeIPA by design is keeping the Kerberos and LDAP passwords the same
for the same user account.
FreeIPA does not provide separate facilities to authenticate to
different sources through different protocols because it is
intentionally made to have Kerberos as the primary authentication
protocol:
- LDAP authentication can be done using simple bind or GSSAPI but
simple bind will only work for password-based authentication.
- no PTA is supported. In some previous versions PTA worked by chance
but was never tested and intended. See
https://freeipa.readthedocs.io/en/latest/designs/ldap_pam_passthrough.html
for details.
For planning purposes, I would recommend to look at RHEL IdM
documentation at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8.
Check 'Identity Management' checkbox on the left side to filter out
anything else. There is a 'Planning Identity Management' guide, for
example, along with the others.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland