Replying to myself because I always post at odd hours when nobody is reading inbox, heh
Wondering if it is technically possible to use FreeIPA LDAP interface to resolve/authenticate AD-users. Thanks!
Chris
Chris Dagdigian mailto:dag@sonsorol.org October 26, 2020 at 2:31 PM My use case on AWS involves ephemeral or auto-scaling servers that do not live long enough to justify a formal IPA enroll/un-enroll process.
We have a great AD-integrated IPA system running at the moment and I've been able to configure a light test client that trusts the IPA CA certificate and will become an LDAPS client of the FreeIPA server
This works great for local IPA users but I'm trying to think this through and I'm not sure if I can use LDAP to authenticate an AD user? Is this even possible?
This is my working sssd.conf for a test client that just uses LDAP -- works great for resolving users and groups that are local IPA users but so far I can't resolve any of the AD resident users:
[domain/default] autofs_provider = ldap cache_credentials = True ldap_search_base = cn=users,cn=accounts,dc=ipa,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ipa001.ipa.example.com/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/pki/tls/ default_shell = /bin/bash override_shell = /bin/bash
Is there any method using ldap_search_base or an override of the Default Trust View that would allow me to deploy a client that only talks LDAP to FreeIPA but is able to resolve and authenticate AD users? I'm wondering if this is even possible or if I'm looking at a lost cause. Thanks!
Chris