I work for a large corporation where we like to switch from OpenLDAP (with Krb5) to RedHat idM. I'll call it xyz.com
The IAM system we are refactoring was setup more than a decade ago, and based on OpenLDAP. We had a primary or master server in one location, with multiple RO replicas, geographically distributed. The user and group spaces were flat, from an LDAP OU and kerberos 5 perspective. There was only a single realm. DNS was not used for kerberos, with krb5.conf files managed so clients are pushed to the closest KDC.
After the system was running, the CIO implemented a corporate SSO using an Enterprise Directory (which also Open LDAP or some other 389 descendant). There are isolated pockets of AD, and nothing in the TLD. So, AD is not really used at the Enterprise level.
I'm exploring the replication options using the following assumptions. - Not using AD, only OpenLDAP, RHDS, or some 389 variant. - There will be a minimum of 3 but eventually 7 locations with an IdM server deployed. Each location uses a unique subdomain under xyz.com - We allocate uids and gids starting at 100K. We still want it to be flat. - We would like to use a Pass Through Agent (PTA) to our Enterprise Directory, for this block of users, if possible, for the LDAP binding. - We would like have a single kerberos realm for all of these locations. - There is no expectation that the LDAP and Kerberos passwords will be synced.
I've seen some conversations in the mailing list archives, but nothing recent. Hopefully, someone can give me some pointers or websites which discuss replication/deployment scenarios.
-- Chris
On Tue, 30 May 2023, Chris Cowan via FreeIPA-users wrote:
I work for a large corporation where we like to switch from OpenLDAP (with Krb5) to RedHat idM. I'll call it xyz.com
The IAM system we are refactoring was setup more than a decade ago, and based on OpenLDAP. We had a primary or master server in one location, with multiple RO replicas, geographically distributed. The user and group spaces were flat, from an LDAP OU and kerberos 5 perspective. There was only a single realm. DNS was not used for kerberos, with krb5.conf files managed so clients are pushed to the closest KDC.
After the system was running, the CIO implemented a corporate SSO using an Enterprise Directory (which also Open LDAP or some other 389 descendant). There are isolated pockets of AD, and nothing in the TLD. So, AD is not really used at the Enterprise level.
I'm exploring the replication options using the following assumptions.
- Not using AD, only OpenLDAP, RHDS, or some 389 variant.
- There will be a minimum of 3 but eventually 7 locations with an IdM server deployed. Each location uses a unique subdomain under xyz.com
- We allocate uids and gids starting at 100K. We still want it to be flat.
- We would like to use a Pass Through Agent (PTA) to our Enterprise Directory, for this block of users, if possible, for the LDAP binding.
- We would like have a single kerberos realm for all of these locations.
- There is no expectation that the LDAP and Kerberos passwords will be synced.
I've seen some conversations in the mailing list archives, but nothing recent. Hopefully, someone can give me some pointers or websites which discuss replication/deployment scenarios.
I don't think FreeIPA is a good fit to these requirements. I'll list few points below separately.
FreeIPA by design is keeping the Kerberos and LDAP passwords the same for the same user account.
FreeIPA does not provide separate facilities to authenticate to different sources through different protocols because it is intentionally made to have Kerberos as the primary authentication protocol:
- LDAP authentication can be done using simple bind or GSSAPI but simple bind will only work for password-based authentication.
- no PTA is supported. In some previous versions PTA worked by chance but was never tested and intended. See https://freeipa.readthedocs.io/en/latest/designs/ldap_pam_passthrough.html for details.
For planning purposes, I would recommend to look at RHEL IdM documentation at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8. Check 'Identity Management' checkbox on the left side to filter out anything else. There is a 'Planning Identity Management' guide, for example, along with the others.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Chris Cowan