On Tue, Feb 06, 2018 at 10:56:24AM -0600, Amos via FreeIPA-users wrote:
3. So that the UID/GID do not change across campus, do you recommend
populating the POSIX attributes in AD, and promoting those values to the
global catalog, then configure RH-IdM to use those POSIX values from AD?
(Though, perhaps we don't need AD:UIDNumber and AD:GIDNumber if we import
our current data from Sun/Solaris LDAP, then let IPA generate those values
going forward?)
If you don't want to bother with the POSIX attributes on the AD side,
you can perhaps use ID overrides? See
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
for example.
4. Since legacy clients (including our Solaris 10 and Solaris 11
systems)
will not support HBAC, are there any recommendations on how to restrict
access to such systems? (I wrote a PAM module many years ago to achieve
that, but currently it relies on custom attributes in our Sun LDAP, and I
see that custom objectclasses/attributes will not be allowed to be loaded
into RH-IdM, so have to come up with something different.)
See
https://github.com/jhrozek/pam_hbac/ :)