My use case on AWS involves ephemeral or auto-scaling servers that do not live long enough to justify a formal IPA enroll/un-enroll process.
We have a great AD-integrated IPA system running at the moment and I've been able to configure a light test client that trusts the IPA CA certificate and will become an LDAPS client of the FreeIPA server
This works great for local IPA users but I'm trying to think this through and I'm not sure if I can use LDAP to authenticate an AD user? Is this even possible?
This is my working sssd.conf for a test client that just uses LDAP -- works great for resolving users and groups that are local IPA users but so far I can't resolve any of the AD resident users:
[domain/default] autofs_provider = ldap cache_credentials = True ldap_search_base = cn=users,cn=accounts,dc=ipa,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ipa001.ipa.example.com/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/pki/tls/ default_shell = /bin/bash override_shell = /bin/bash
Is there any method using ldap_search_base or an override of the Default Trust View that would allow me to deploy a client that only talks LDAP to FreeIPA but is able to resolve and authenticate AD users? I'm wondering if this is even possible or if I'm looking at a lost cause. Thanks!
Chris
You can do this by enabling the compat tree in FreeIPA. I believe this will involve you having to run ipa-adtrust-install --enable-compat on all IPA servers that are involved either being a trust controller or trust agent. You'll essentially have these trees after that you can use:
Groups: cn=groups,cn=compat,dc=ipa,dc=example,dc=com Users; cn=users,cn=compat,dc=ipa,dc=example,dc=com
What will happen is all IPA users and groups will show up immediately, but the AD users/groups won't until they are asked for (eg from a simple ldapsearch or otherwise), which should (hopefully) be sufficient. In my previous cases of having to use the compat tree, it was for legacy clients (eg BSD, Solaris/OmniOS/Illumos, and RHEL 5).
Replying to myself because I always post at odd hours when nobody is reading inbox, heh
Wondering if it is technically possible to use FreeIPA LDAP interface to resolve/authenticate AD-users. Thanks!
Chris
Chris Dagdigian mailto:dag@sonsorol.org October 26, 2020 at 2:31 PM My use case on AWS involves ephemeral or auto-scaling servers that do not live long enough to justify a formal IPA enroll/un-enroll process.
We have a great AD-integrated IPA system running at the moment and I've been able to configure a light test client that trusts the IPA CA certificate and will become an LDAPS client of the FreeIPA server
This works great for local IPA users but I'm trying to think this through and I'm not sure if I can use LDAP to authenticate an AD user? Is this even possible?
This is my working sssd.conf for a test client that just uses LDAP -- works great for resolving users and groups that are local IPA users but so far I can't resolve any of the AD resident users:
[domain/default] autofs_provider = ldap cache_credentials = True ldap_search_base = cn=users,cn=accounts,dc=ipa,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ipa001.ipa.example.com/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/pki/tls/ default_shell = /bin/bash override_shell = /bin/bash
Is there any method using ldap_search_base or an override of the Default Trust View that would allow me to deploy a client that only talks LDAP to FreeIPA but is able to resolve and authenticate AD users? I'm wondering if this is even possible or if I'm looking at a lost cause. Thanks!
Chris
freeipa-users@lists.fedorahosted.org