π Transitive Trusts with Active Directory support for FreeIPA
π Summary
FreeIPA will support transitive trusts with Active Directory
π Owner
- Name: Alexander Bokovoy
- Email: abokovoy@redhat.com
- Release notes owner: <To be assigned by docs team>
π Current status
- Targeted release: Fedora 20
- Last updated: 2013-07-16
- Tracker bug: <will be assigned by the Wrangler>
π Detailed Description
FreeIPA in Fedora 19 already supports cross-realm trusts with Active Directory. New version of FreeIPA will make possible to use FreeIPA identities to access resources in Active Directory, for example, to log-on into Windows workstations.
π Benefit to Fedora
Environments with FreeIPA and cross-realm trusts to Active Directory domains will be fully integrated in both directions (AD -> FreeIPA and FreeIPA -> AD).
π Scope
This change requires expansion of logic in FreeIPA-provided database driver to Kerberos KDC. Additionally, it requires development of Global Catalog Service compatible with Active Directory. This is fairly isolated effort within FreeIPA.
- Other developers: no effect
- Release engineering: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
π Upgrade/compatibility impact
Feature should be compatible with existing FreeIPA 3.x installs. Upgrade of LDAP data store is done through existing FreeIPA upgrade functionality.
π How To Test
Test instructions are maintained at http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
π User Experience
No visible UI changes planned.
π Dependencies
Required changes are isolated to FreeIPA.
π Contingency Plan
- Contingency mechanism: no Global Catalog service will be available to users (current state in Fedora 19)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No
π Documentation
- Development is being planned for FreeIPA 3.4 version
π Release Notes
To be completed by the Change Freeze!
