Hello all,
We currently have Red Hat IDM implemented on our campus local network. It has a one-way trust with our Active Directory and all of our Linux systems that live in our network use IDM for auth/authz. We are looking to start deploying our linux images into AWS and want to use our Red Hat IDM for auth control there as well and would like, if possible, to remove any dependencies on our local network for systems that live in AWS in doing so.
With that being said, I would like to verify my understanding of how auth/authz works with IDM and Active Directory. A client system will query a freeipa server in order to get HBAC policies, sudo rules/commands, authorization for accounts to use certain services, and user account/group information. The client system will authenticate the user, whether for login or sudo/su, directly to Active Directory without going through the freeipa server. Also, the freeipa servers will query AD for user account/group information if it’s not already cached on the freeipa server. Is my understanding here correct? If not, please enlighten me on where my misunderstanding is.
So, if my understanding as outlined above is correct, then to remove any depency on our local network AD and FreeIPA/IDM for clients that live in AWS, we would need IDM servers and Active Directory servers in AWS for the clients to use, correct? If that is the case, is Azure Active Directory (AAD) a usable option in this case? Is there a way to specify for clients to use the IDM servers and AD that are in AWS first, before attempting to use the ones on our local network? Is there a way to specify for FreeIPA/IDM servers to use the AD in AWS before attempting to use the ones on our local network?
I appreciate anyone who can verify or correct what I have above.
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services