Hi Alexander, On Thu, 7 Apr 2022 at 09:30, Alexander Bokovoy <[email protected]> wrote:
> On to, 07 huhti 2022, Mike Mercier wrote: > >Hi, > > > >The following microsoft document > > > > > https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/sync-ldap > > > >states it is possible (with a warning) to use Azure AD Connect to > >synchronize with LDAP. I figured since FreeIPA was using 389ds in the > >background it might be possible. > > Well, I am not sure what it going to give you in terms of a usability of > this solution. Nobody on my team ever tested it so it is definitely not > supported in RHEL IdM case. > > This link describes Microsoft instructions: > > https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap > > I'd note, though, that in case you'd try to follow their instructions, > you would need to enable unhashed passwords to be stored in the > changelog. See nsslapd-unhashed-pw-switch option in RHDS documentation. > > As far as I understand, this would give you ability to use IPA accounts > in Azure AD IdP, right? E.g. keep users in IPA, let them login to Azure > AD protected applications? > What I was specifically hoping for was the following: 1. Store all user accounts/groups in Azure AD 2. Have the Azure AD information synchronized with FreeIPA 3. Have the ability to use the synchronized information with FreeIPA a. As an example, delegate a user to manage a specific part of the DNS hierarchy But with your comment below, this doesn't sound possible? > This, however, wouldn't give you ability to login to IPA-enrolled > systems by authenticating against Azure AD. > > > > > >Thank you for the information. > > > >Mike > > > > > >On Thu, 7 Apr 2022 at 08:45, Alexander Bokovoy <[email protected]> > wrote: > > > >> On to, 07 huhti 2022, Mike Mercier via FreeIPA-users wrote: > >> >Hello, > >> > > >> >I was wondering if anyone has tried to synchronize FreeIPA to Azure AD > >> >using the 'Azure AD Connect' tool? > >> > > >> > > >> > https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect > >> > >> This is not supported. > >> > >> >I know the capability to sync with Active Directory is there, but I *do > >> >not* want to configure a Microsoft AD environment. > >> > >> Azure AD Connect only works with on-premise AD environment, so you are > >> confusing yourself. ;) > >> > >> In short, this tool is irrelevant for FreeIPA as it is built for AD, not > >> IPA. > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > >> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > Thanks, Mike
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
