Features/IPAv3Trusts

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(User Experience: Feature is actually available in F18)
 
(2 intermediate revisions by 2 users not shown)
Line 14: Line 14:
 
* Email: sbose@redhat.com
 
* Email: sbose@redhat.com
 
* Name: [[User:abbra| Alexander Bokovoy]]
 
* Name: [[User:abbra| Alexander Bokovoy]]
 +
* Email: abokovoy@redhat.com
  
 
== Current status ==
 
== Current status ==
Line 61: Line 62:
 
== User Experience ==
 
== User Experience ==
 
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
* '''Moved to next release''' If a trust is created between an Active Directory and an IPA domain
+
* If a trust is created between an Active Directory and an IPA domain
 
** Users from the Active Directory Domain can access resources of the IPA domain and the other way round
 
** Users from the Active Directory Domain can access resources of the IPA domain and the other way round
 
** For kerberized services single-sign-on is possible
 
** For kerberized services single-sign-on is possible
Line 86: Line 87:
  
  
[[Category:FeatureReadyForFesco]]
+
[[Category:FeatureAcceptedF18]]
 
<!-- When your feature page is completed and ready for review -->
 
<!-- When your feature page is completed and ready for review -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 22:38, 28 November 2012

Contents

[edit] IPA v3 Trusts

[edit] Summary

The new major release of IPA will have a number of new features:

  • Trusts to Active Directory domains,

Few other features targeted for IPA v3 were already approved and introduced with IPA v2.2 in F17.

[edit] Owner

[edit] Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-07-23
  • Percentage of completion: 100%


[edit] Detailed Description

[edit] Trust to Active Directory Domains

Currently FreeIPA uses winsync to allow users from an Active Directory domain to access resources in the IPA domain. To achieve this winsync replicates the user and group data from an Active Directory server to the local server and tries to keep them in sync.

With the new trust feature the user and group data is read from the Active Directory server as it is needed. Additionally Kerberos cross realm trust is set up which allows Single-Sign-On between the Active Directory and the IPA domain. I.e. a user from the Active Directory Domain can access kerberized resources from the IPA domain without being asked for a password.

[edit] Benefit to Fedora

  • Trust to Active Directory Domains will have the following benefits:
    • Single-Sign-On between the Active Directory and IPA domain
    • Allow users from the IPA domain (Linux users) to access resources from the Active Directory domain
    • No need to set POSIX attributes in the Active Directory domain

[edit] Scope

  • Trust to Active Directory Domains requires the following changes:
    • FreeIPA have to be extended to store and manage the needed data to maintain the trust to the Active Directory domain and have to provide tools to set up the trust
    • SSSD needs to be able to query the IPA server to resolve users and groups from the Active Directory domain
    • Samba4 have to be updated to a recent version to allow FreeIPA to use libraries and binaries to set up and maintain the trust to an Active Directory domain

[edit] How To Test

[edit] Trust to Active Directory Domains

  • Detailed information about how to set up and test Trusts to Active Directory domains can be found at IPAv3 testing AD Trust

[edit] User Experience

  • If a trust is created between an Active Directory and an IPA domain
    • Users from the Active Directory Domain can access resources of the IPA domain and the other way round
    • For kerberized services single-sign-on is possible

[edit] Dependencies

  • for Trust to Active Directory domains a recent and extended version of the samba4 package is needed.

[edit] Contingency Plan

None necessary, revert to previous release behaviour.

[edit] Documentation

  • IPAv3 testing AD Trust describes the steps how to set up a trust relationship to an Active Directory domain and how to use it.

[edit] Release Notes

  • With Fedora 18 it would be possible to create a trust relationship between an IPA and an Active Directory domain which would allow users from one domain to access resource of the other domain.

[edit] Comments and Discussion