On Tue, Feb 06, 2018 at 10:56:24AM -0600, Amos via FreeIPA-users wrote: > 3. So that the UID/GID do not change across campus, do you recommend > populating the POSIX attributes in AD, and promoting those values to the > global catalog, then configure RH-IdM to use those POSIX values from AD? > (Though, perhaps we don't need AD:UIDNumber and AD:GIDNumber if we import > our current data from Sun/Solaris LDAP, then let IPA generate those values > going forward?)
If you don't want to bother with the POSIX attributes on the AD side, you can perhaps use ID overrides? See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/id-views for example. > 4. Since legacy clients (including our Solaris 10 and Solaris 11 systems) > will not support HBAC, are there any recommendations on how to restrict > access to such systems? (I wrote a PAM module many years ago to achieve > that, but currently it relies on custom attributes in our Sun LDAP, and I > see that custom objectclasses/attributes will not be allowed to be loaded > into RH-IdM, so have to come up with something different.) See https://github.com/jhrozek/pam_hbac/ :) _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
