« Previous 1 2 3
Integrating FreeIPA with Active Directory
Building Bridges
Considering or Ignoring POSIX Attributes
In a Windows AD schema it has been possible for some time to define POSIX attributes that can be enabled using the identity management for UNIX (IMU) – formerly known as Services for UNIX (SFU) – component. You can then enter the desired attributes in the properties of a Windows user (e.g., the UID and GID), as well as the desired home directory and other POSIX information.
FreeIPA recognizes this and would revert automatically to the attributes stored in the AD, instead of defining new attributes. When creating the trust, you can explicitly determine how FreeIPA should behave if POSIX attributes are already defined in the AD. Using
ipa trust-add --range-type=ipa-ad-trust-posix
you can determine what POSIX attributes stored in the AD should be used. However, the statement
ipa trust-add --range-type=ipa-ad-trust
says that these attributes are to be ignored and that SSSD should generate separate IDs instead..
Windows Groups and Security Rules
The FreeIPA framework uses group information for many security rules (e.g., sudo, SELinux, HBAC) to decide whether access for a specific user is allowed or not. However, because the framework isn't in the know about the Windows groups – after all, they're located externally and aren't stored on the FreeIPA systems – you need to use a little trick to be able to use them with the desired set of rules.
The trick consists of including all desired Windows groups in corresponding external (non-POSIX) groups; then, you can nest them in POSIX groups, which you can ultimately use in your set of rules. Listing 6 shows how you can nest all domain users from the Windows domain in a POSIX group via an external group from the FreeIPA server.
Listing 6
Using Windows Groups
### You need to use a few tricks to be able to use Windows groups on the FreeIPA. # ipa group-add --desc='COE users external map'coe_domain_users_external --external --------------------------------------- Added group "coe_domain_users_external" --------------------------------------- Group name: coe_domain_users_external Description: COE users external map # ipa group-add --desc='COE users'coe_domain_users ------------------------------ Added group "coe_domain_users" ------------------------------ Group name: coe_domain_users Description: COE users GID: 1691800008 # ipa group-add-member coe_domain_users_external --external 'COE\Domain Users' [member user]: [member group]: Group name: coe_domain_users_external Description: COE users external map External member: S-1-5-21-2960236960-1249552018-43539955-513 ------------------------- Number of members added 1 ------------------------- # ipa group-add-member coe_domain_users --groups coe_domain_users_external Group name: coe_domain_users Description: COE users GID: 1691800008 Member groups: coe_domain_users_external ------------------------- Number of members added 1 -------------------------
You can use the coe_domain_users
group from now on to implement host-based access control rules, for example, and just grant members of this group access to certain systems. You can, of course, apply this procedure to all Windows groups.
Conclusions
FreeIPA provides a comprehensive integration of Linux environments in existing Windows AD structures. Unlike direct integration of Linux clients, the framework provides a native interface and makes it easy to access the Active Directory.
Using this interface, Linux clients can benefit from the usual security mechanisms and don't have to use a trimmed-down range of functions if they are made available via an AD domain controller. Another advantage of this form of integration is that Windows admins keep control of their domains, and Linux admins can provide their clients the necessary data via the FreeIPA framework.
Infos
- Integrating with Microsoft AD through synchronization: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory.html
- System Security Services Daemon: https://fedorahosted.org/sssd/
- realmd: http://www.freedesktop.org/software/realmd/
- FreeIPA identity management framework: https://www.freeipa.org
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)