On Fri, 18 Dec 2009 12:31:44 -0500 Dan Scott <[email protected]> wrote:
> So clients in A.EXAMPLE.COM should be able to authenticate to > C.B.EXAMPLE.COM, but not the other way around (This is how I would > like it setup). > > However, this does not appear to work. I assume that I need to add > some entries to the LDAP server as well? Does anyone know if this is > true and if so, how I should go about it? There are 2 things to consider when cross realm trust are involved. 1. certainly a correct setup so that clients can successfully perform authentication. See Nalin remarks on that. 2. The second is that in order to login on a system you need, not only a successful authentication but an actual user (with uid,gid,home,shell info) the system can associate to your successful authentication. Unless you are interested only in something like http auth which can work w/o real system users. This second part requires a way to provide the other realm users to your system. At the moment we do not have any automated mechanism in FreeIPA itself or in the client to provide that. We will work on these features next year. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
