Our IPA servers are in a one-way AD trust. Since all of our users are in
AD, I take advantage of the SSSD settings on the clients to hide the
@AD_REALM from their login names, and use AD_REALM as the default_realm.
This works nicely.
Solaris clients, however, do not have the convenience of SSSD. I
understand that the fully-qualified login names are required for systems
using the compat feature so that the IPA servers know to lookup those users
in AD. Still, I was wondering if there is anyway of doing something
similar on Solaris to hide the domain part if it is the default. I had
hoped that maybe an idview would do it, but seems unlikely.
My use case on AWS involves ephemeral or auto-scaling servers that do
not live long enough to justify a formal IPA enroll/un-enroll process.
We have a great AD-integrated IPA system running at the moment and I've
been able to configure a light test client that trusts the IPA CA
certificate and will become an LDAPS client of the FreeIPA server
This works great for local IPA users but I'm trying to think this
through and I'm not sure if I can use LDAP to authenticate an AD user?
Is this even possible?
This is my working sssd.conf for a test client that just uses LDAP --
works great for resolving users and groups that are local IPA users but
so far I can't resolve any of the AD resident users:
autofs_provider = ldap
cache_credentials = True
ldap_search_base = cn=users,cn=accounts,dc=ipa,dc=example,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ipa001.ipa.example.com/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/pki/tls/
default_shell = /bin/bash
override_shell = /bin/bash
Is there any method using ldap_search_base or an override of the Default
Trust View that would allow me to deploy a client that only talks LDAP
to FreeIPA but is able to resolve and authenticate AD users? I'm
wondering if this is even possible or if I'm looking at a lost cause.
when I deploy the freeipa-client to hosts behind a haproxy most of the
hostnames get changed to the rDNS entry of the haproxy. The
freeipa-clients get enrolled with this name. I know I can set --hostname
but how to do this with ansible-freeipa?
Thanks in advance & best regards
I’m aware that we can make overrides on AD users with the Default Trust View object on IPA. I’ve created another one for specific users named “Clients Trust” and added three user accounts there. Made the overrides that I want, and when I checked with getent on a Linux client, the overrides aren’t worked.
On the new ID view, there’s this Host options, so I checked two hosts that I’m interested, and still didn’t override.
As a last resort I’ve reset sssd cache, with sss_cache -E, but no success either.
So the question is: Is it supported to override AD users in other trust than the default trust view? If yes how can I debug with the override isn’t working?
Thank you all.
On an ipa-client, our customer wants to implement login to a
custom made service using the poco c++ library. There's something
about ldap authenticators on this page:
The customer already hat this implemented with a non-ipa LDAP
setup, but we don't have access to the source code.
1) Is there any experience implementing ldap based authentication
in an ipa ecosystem using poco? Examples, instructions, anything?
2) Is there some code example or even example program for ldap
authentication without poco, in any language ( But C/C++
Dominik ^_^ ^_^
Several months ago we set up two IPA servers for a separate department.
We also set up a trust to AD. Then the project went on hold. Today I was
told that they want to continue using IPA.
The IPA servers are using CentOS 7.x. Regarding the trust setup, would
it work to add two OL 8.1 servers and remove the old CentOS servers
afterwards? Or is there a better way to do that?
I have a IPA setup, in trust with active directory.
I noticed a strange behaviour in HBAC.
I have a group ("extgroup"), defined as external, containing an active
directory user ("user(a)ad.dom.ain").
I defined a HBAC rule ("allow_AD_ssh") to permit ssh to a host to users
belonging to "extgroup", but the HBAC test (performed with
"user(a)ad.dom.ain") fails. I'm sure the cause is the "Who" section of the
HBAC rule (if I leave "Anyone" it works). So the HBAC is defined as:
WHO: User group "extgroup"
ACCESSING: host I want to give access to
I was pretty sure it was a incompatibility of HBAC rules with external user.
But if I define a standard (POSIX) group (let say "intgroup"), make
"extgroup" member of "intgroup" and use "intgroup" in the definition of
the (section "who" of) HBAC rule, it works like a charm.
Why direct use of external group is not working? Is it a bug? Or is
there a reason I cannot see?