Hi there, you have several options bounded to your security levels/standards. I think someone with more knowledge would know a better idea for sure... but I think you are going to need to authenticate somehow from AWS to your campus(IPA&AD) directly opening and publishing the needed ports, or via a couple VM's(1 AD + 1 IPA) in AWS only reachable by those systems you want to authenticate. The second option sounds more secure. Things to consider would be: new IP ranges+DNS syncing if you want an A, PTR records matching and stuff and something like SSO which uses Kerberos, which relies on correct DNS setup if you want to avoid a headache. AFAIK, it's a setup still in research phase: https://bugzilla.redhat.com/show_bug.cgi?id=1419524
regards, El dom, 24 ene 2021 a las 20:52, Jones, Bob (rwj5d) via FreeIPA-users (< freeipa-users@lists.fedorahosted.org>) escribió: > Just refreshing this to see if anyone maybe had some input. > > Thanks! > — > Bob Jones > Lead Linux Services Engineer > ITS ECP - Linux Services > > > On Jan 21, 2021, at 8:08 AM, Jones, Bob (rwj5d) via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > > Hello all, > > > > We currently have Red Hat IDM implemented on our campus local network. > It has a one-way trust with our Active Directory and all of our Linux > systems that live in our network use IDM for auth/authz. We are looking to > start deploying our linux images into AWS and want to use our Red Hat IDM > for auth control there as well and would like, if possible, to remove any > dependencies on our local network for systems that live in AWS in doing so. > > > > With that being said, I would like to verify my understanding of how > auth/authz works with IDM and Active Directory. A client system will query > a freeipa server in order to get HBAC policies, sudo rules/commands, > authorization for accounts to use certain services, and user account/group > information. The client system will authenticate the user, whether for > login or sudo/su, directly to Active Directory without going through the > freeipa server. Also, the freeipa servers will query AD for user > account/group information if it’s not already cached on the freeipa > server. Is my understanding here correct? If not, please enlighten me on > where my misunderstanding is. > > > > So, if my understanding as outlined above is correct, then to remove any > depency on our local network AD and FreeIPA/IDM for clients that live in > AWS, we would need IDM servers and Active Directory servers in AWS for the > clients to use, correct? If that is the case, is Azure Active Directory > (AAD) a usable option in this case? Is there a way to specify for clients > to use the IDM servers and AD that are in AWS first, before attempting to > use the ones on our local network? Is there a way to specify for > FreeIPA/IDM servers to use the AD in AWS before attempting to use the ones > on our local network? > > > > I appreciate anyone who can verify or correct what I have above. > > > > Thanks, > > — > > Bob Jones > > Lead Linux Services Engineer > > ITS ECP - Linux Services > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
