On 08/15/2012 09:12 AM, Ondrej Valousek wrote:
Hi all,

I will be doing a short presentation in our company about IPA & sssd & Active Directory. The aim is to motivate headquarters to replace our existing commercial (Centrify) solution with SSSD.
The presentation is available at:


should you like to see it.

Comments are welcome :-)

1) IPA is based on the 389 LDAP server not OpenLDAP
2) SSSD does not provide front end to Samba/Winbind it just has similar functionality. In future we might reuse more of the samba libraries. Currently we use some samba libraries in SSSD but more as building blocks for the solution than the back end that connects to AD.
3) There is a project called reamld, this project would perform AD join of SSSD in the Linux environment. It will replace the need for your sss_adjoin script
4) Can you please elaborate a bit on the tools? Which tools Centrify has that would be useful for SSSD to have? Can you file tickets with those?
5) In addition to direct automounter support in SSSD there is also direct sudo support, management of the SSH keys and SELinux user mapping integration coming at the same time.
6) I do not think you emphasize the value of IPA. If you are AD centric then joining systems directly to AD makes sense but if you want to mange your Linux environment independently then FreeIPA comes to play as a management server for Linux systems. This brings the question of the AD users. If you want to use central server to manage Linux systems but users to come from AD there are three options that you can explore:
* Sync users from AD to IPA. This is currently supported and recommended solution though it has some complications because all user passwords need to be reset once for password sync to happen
* Use a "split brain" configuration where the Linux systems are joined to IPA and are controlled by IPA but the user authentication is pointed directly to AD. This is a possible but not recommended configuration as we would not be able to support upgrades from it so an upgrade might break things and things would have to be reconfigured manually. This can be mitigated by testing upgrades first but it is still a not preferred solution.
* Trust based solution. AD users stay in AD. Systems are joined into IPA. There is a trust established between IPA and AD. The users from AD then would be able to access systems and services in IPA domain without any synchronization. This is a recommended solution and it is coming soon (upstream bits are in beta now and will be release this fall). The only catch is that both clients (SSSD) and server (IPA) need to support trust capabilities which means latest version of OS will be required on both sides.   

_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?