On to, 07 huhti 2022, Mike Mercier wrote:
>Hi,
>
>The following microsoft document
>
>https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/sync-ldap
>
>states it is possible (with a warning) to use Azure AD Connect to
>synchronize with LDAP. I figured since FreeIPA was using 389ds in the
>background it might be possible.
Well, I am not sure what it going to give you in terms of a usability of
this solution. Nobody on my team ever tested it so it is definitely not
supported in RHEL IdM case.
This link describes Microsoft instructions:
https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap
I'd note, though, that in case you'd try to follow their instructions,
you would need to enable unhashed passwords to be stored in the
changelog. See nsslapd-unhashed-pw-switch option in RHDS documentation.
As far as I understand, this would give you ability to use IPA accounts
in Azure AD IdP, right? E.g. keep users in IPA, let them login to Azure
AD protected applications?
What I was specifically hoping for was the following:
1. Store all user accounts/groups in Azure AD
2. Have the Azure AD information synchronized with FreeIPA
3. Have the ability to use the synchronized information with FreeIPA
a. As an example, delegate a user to manage a specific part of the DNS hierarchy
But with your comment below, this doesn't sound possible?
This, however, wouldn't give you ability to login to IPA-enrolled
systems by authenticating against Azure AD.
>
>Thank you for the information.
>
>Mike
>
>
>On Thu, 7 Apr 2022 at 08:45, Alexander Bokovoy <abokovoy@redhat.com> wrote:
>
>> On to, 07 huhti 2022, Mike Mercier via FreeIPA-users wrote:
>> >Hello,
>> >
>> >I was wondering if anyone has tried to synchronize FreeIPA to Azure AD
>> >using the 'Azure AD Connect' tool?
>> >
>> >
>> https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect
>>
>> This is not supported.
>>
>> >I know the capability to sync with Active Directory is there, but I *do
>> >not* want to configure a Microsoft AD environment.
>>
>> Azure AD Connect only works with on-premise AD environment, so you are
>> confusing yourself. ;)
>>
>> In short, this tool is irrelevant for FreeIPA as it is built for AD, not
>> IPA.
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
Thanks,
Mike