On 11/04/2012 02:23 PM, William Muriithi wrote: > Hi all, > > I am in the process of deploying freeIPA 2.2 to authenticate Linux > systems and have been able to setup everything nicely with separate > domain. I mean users are currently using separate password to access > Linux system and another set of password from AD for desktop stuff. On > Friday, I came across an article on freeIPA v 3 and noticed one can > use the same username & password for both Linux and Windows systems. > I have since felt this would be a better setup and but feel like the > documentation are not clear on how to achieve the above. > > Would anyone be able to clarify this: > > - Can I be able to synchronize the current AD user credentials with > FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ? > - If upgrading is necessary, is there an RPM that can run on RHEL 6.2 > ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping > to use a blessed RPM instead of rolling one which mean be incompatible > with the distribution RPM once it comes around > > Regards, > > William
In addition to other comments I want to step back and give a bit of a bigger picture. 1) Regardless of what approach you choose we recommend using the latest available version at the moment of deployment. 2) There are two different approached to dealing with AD - sync or trust. You need to chose what approach you want to use. Down the road there might be some hybrid solutions but so far they are not supported. Sync: available starting the beginning of the IPA life. It has some limitations and we indeed had some issues with the corner cases that Steve's environment has. They are not common but you have been warned anyways. Trust: a) Trusts are targeting RHEL 6.4 b) There is no upgrade from Sync to Trust solution. If you want trusts you need to upgrade what you have to 6.4 (or start over) and implement trusts there and not do Sync. c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise the trusts would not work. This also means that if you have other UNIXes the trusts would not work there. If you have UNIX clients that need to be accessed by AD users you might explore some hybrid solutions that might work but we can't say for sure. For example the sync might actually work in parallel to trusts to some extent. There is also PAM pass through capability that comes with 6.4 as a tech preview. That would allow pass through LDAP auth for the non SSSD 1.9 clients. But this needs to be tried out and there might be dragons. > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
