Lead Image © payphoto, 123RF.com
Integrating FreeIPA with Active Directory
Building Bridges
A directory service usually provides a wealth of information on top of the classic user and group accounts, including machine and service accounts, security rules, and possibly DNS information and other data that administrators would like to store centrally to deliver to clients in the domain.
Such data can, of course, be stored either in an Active Directory (AD) or in any other directory service, although it is not irrelevant which clients then have access to the data. For example, an AD provides more of a native interface for Windows clients than for POSIX clients. This in turn affects how well the client integration works and what data these clients can retrieve, evaluate, and implement from the directory service.
Therefore, it is very importance that you define from the beginning which data should be available to Linux clients from Windows AD. Do you just want to authenticate AD users to access resources on a Linux system, or should they also be able to evaluate appropriate security rules for access to the resources? Where should these security rules be stored? The AD may provide the corresponding functions, but the solutions provided are oriented more toward Windows clients than Linux systems.
Ultimately, you have two types of integration. First is the option to integrate Linux clients directly in a Windows domain and manage them using an AD domain controller. The second option is a kind of indirect integration based on data synchronization or domain trust. With data synchronization, user accounts with previously defined attributes are replicated in a different directory service, which then makes these account available to Linux clients. However, I won't delve into the implementation of this any further at this point because this type of indirect integration has a load of disadvantages. Instead I'll just point out the available literature on the subject [1].
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Certificate management with FreeIPA and Dogtag
The Dogtag certificate manager integrated into the FreeIPA open source toolset generates SSL/TLS certificates for intranet services and publishes them on the network. -
ID Views smooth migration to a new identity management system
POSIX attributes are permanently connected to a user account, and they help identify the user; however, this permanent connection can lead to difficulties when migrating from one identity management system to another. ID Views help you make migration go smoothly. -
Migration from LDAP to FreeIPA
The change from centralized user authentication on a vanilla LDAP server to the FreeIPA identity management solution is easier than many admins think. Given attention to a few points, the migration takes very little time and effort. -
Samba domain controller in a heterogeneous environment
The open source Samba service can act as an Active Directory domain controller in a heterogeneous environment. -
A REST interface for FreeIPA
Access to the FreeIPA identity management framework is usually handled via a graphical web interface or a command-line tool, but the framework can also be queried directly via the JSON-RPC API.