Just refreshing this to see if anyone maybe had some input. Thanks! — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services
> On Jan 21, 2021, at 8:08 AM, Jones, Bob (rwj5d) via FreeIPA-users > <[email protected]> wrote: > > Hello all, > > We currently have Red Hat IDM implemented on our campus local network. It > has a one-way trust with our Active Directory and all of our Linux systems > that live in our network use IDM for auth/authz. We are looking to start > deploying our linux images into AWS and want to use our Red Hat IDM for auth > control there as well and would like, if possible, to remove any dependencies > on our local network for systems that live in AWS in doing so. > > With that being said, I would like to verify my understanding of how > auth/authz works with IDM and Active Directory. A client system will query a > freeipa server in order to get HBAC policies, sudo rules/commands, > authorization for accounts to use certain services, and user account/group > information. The client system will authenticate the user, whether for login > or sudo/su, directly to Active Directory without going through the freeipa > server. Also, the freeipa servers will query AD for user account/group > information if it’s not already cached on the freeipa server. Is my > understanding here correct? If not, please enlighten me on where my > misunderstanding is. > > So, if my understanding as outlined above is correct, then to remove any > depency on our local network AD and FreeIPA/IDM for clients that live in AWS, > we would need IDM servers and Active Directory servers in AWS for the clients > to use, correct? If that is the case, is Azure Active Directory (AAD) a > usable option in this case? Is there a way to specify for clients to use the > IDM servers and AD that are in AWS first, before attempting to use the ones > on our local network? Is there a way to specify for FreeIPA/IDM servers to > use the AD in AWS before attempting to use the ones on our local network? > > I appreciate anyone who can verify or correct what I have above. > > Thanks, > — > Bob Jones > Lead Linux Services Engineer > ITS ECP - Linux Services > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
