SlideShare a Scribd company logo

SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba

Alexander Bokovoy
Alexander Bokovoy

This document discusses integrating FreeIPA with Active Directory through cross-forest trusts. It describes how FreeIPA provides identity management similar to Active Directory and can be configured to trust an Active Directory domain. This allows FreeIPA and Active Directory users to access each other's services. The document also discusses how legacy systems without SSSD can still access user and group information by querying a compatibility LDAP tree on the FreeIPA server. It concludes by noting that FreeIPA passed over 100 compatibility tests with Windows Server 2012.

1 of 25
Download to read offline
Trusting Active Directory with FreeIPA: a story beyond Samba Alexander Bokovoy <ab@samba.org> Red Hat May 15th, 2014
Trusting Active Directory with FreeIPA 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
FreeIPA: http://www.freeipa.org I: Identity LDAP-based store for common objects (users, groups, hosts, services, ...) 389-ds as an LDAP server with FreeIPA server-side plugins MIT Kerberos KDC with FreeIPA driver Integrated certificate management with Dogtag Certificate Authority Python-based command line and Web management tools P: Policy Delegation and separation of access Flexible delegation of editing controls Host-based access controls to services: Everything is denied by default, define rules to allow <user or group[, source host]>→<host, service> Rules enforced at client side with SSSD project A: Audit Coming...
FreeIPA: http://www.freeipa.org
Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
Kerberos cross-forest trusts FreeIPA deployment is a fully managed Kerberos realm Can be integrated with Windows as RFC4120-compliant Kerberos realm Traditional Kerberos trust management applies: on GNU/Linux side ~/.k5login should be defined to impersonate users with identities Does not scale well for thousands of users and hosts: a foreign realm principal impersonates our realm’s user requires additional management of special users to impersonate doubling the management effort mapping has to happen on every single machine. Manually?
Active Directory native cross forest trusts Require two Active Directory domains AD domain establishes trust with another AD domain via LSA RPC AD uses LSA RPC to map incoming principals to SIDs technically: KDC + CLDAP + LSA RPC FreeIPA provides KDC and LDAP, Samba provides LSA RPC
FreeIPA v3 architecture Full overview is available at http://freeipa.org/page/IPAv3_Architecture
FreeIPA passdb backend Expansion of traditional LDAP passdb backend New schema objects and attributes to support trusted domain information Support for uid/gid ranges for multi-master replicas Kerberos principal creation for foreign domain account
FreeIPA KDC backend Generates MS PAC information out of LDAP info and add to the ticket Allows to accept principals and tickets from a trusted cross forest realm Filters out SIDs for both incoming and outgoing trust paths Verifies and signs MS PAC coming from a trusted cross forest realm Checks authentication paths for non-hierarchical cross-realm
FreeIPA configuration tools FreeIPA has command line (CLI) and Web user interfaces ipa trust-add creates new cross-forest trust CLI operates with Kerberos authentication Request is sent to FreeIPA server via XML-RPC over HTTPS with Kerberos auth FreeIPA uses S4U2Proxy Kerberos feature to allow constrained delegation Samba 4 Python bindings are used to establish trust Code runs under non-privileged account (apache) Uses Kerberos ticket obtained via XML-RPC with the help of mod kerb auth Issues Kerberos-authenticated LSA RPC requests to a local smbd Uses AD credentials or shared secret passed via XML-RPC request to talk to AD DC
Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
Using FreeIPA services with AD credentials Use of FreeIPA client system with AD cross forest credentials: Client system is provisioned with ipa-client-install SSSD is configured during provisioning to talk to FreeIPA LDAP krb5.conf is configured to perform mapping of cross forest trusted realm principal to user name 1:1 without removing the realm, e.g. Administrator@AD.SAMBAXP becomes user ’Administrator@ad.sambaxp’ Manual auth to local rules in krb5.conf will not be needed with MIT Kerberos 1.12 once SSSD will provide a plugin to fetch these rules from the FreeIPA server
Using FreeIPA services with AD credentials
Using FreeIPA services with AD credentials On the IPA client, an SSH log-in causes following activity: SSH checks if user exists on the system SSSD handles the request and sees the user is not local. From IPA client SSSD sends LDAP extended operation to FreeIPA LDAP server. Extended operation on LDAP server results in calls to SSSD on the server to perform external domain user/group mapping in FreeIPA 3.0 SSSD uses Winbind on IPA server to resolve the mapping in FreeIPA 3.3 SSSD on IPA server performs the mapping natively against AD DCs UID/GID are returned to SSH, GSSAPI is used to log-in that ’local’ user SSSD uses MS PAC from the Kerberos ticket to fill up groups information, converting SIDs to groups using FreeIPA LDAP extended operation
Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
Using FreeIPA services with AD credentials SSSD plays crucial role: it forwards ID resolution of AD users to IPA server and performs MS-PAC analysis Support for FreeIPA LDAP extended operation was added in SSSD 1.9 Older versions or machines without SSSD can’t use the feature, are we lost?
Supporting ‘legacy clients’ FreeIPA provides a compatibility LDAP tree, cn=compat,cn=ipa,cn=sambaxp Compatibility tree re-exports IPA users for systems that cannot be configured against the primary tree When cross-forest trust is enabled, the compatibility tree shows AD users ipa-advise tool can be used to get configuration recipes for legacy clients
Supporting ‘legacy clients’ A request comes from nss ldap, nslcd, or old version of SSSD over compatibility tree: Internally, search is performed over the primary tree If search does not succeed, FreeIPA decodes the request (uid=username ) is recognized as a user search by name (uidNumber=number ) is recognized as a user search by ID (&(cn=groupname )(objectClass=posixGroup)) is recognized as a group search by name (gidNumber=number ) is recognized as a group search by ID (memberuid=username ) is recognized as a group search by a member name Request is sent to SSSD for lookup, result is inserted into the compatibility tree LDAP bind operation is translated into PAM authentication request
Supporting ‘legacy clients’ Compatibility tree works fine with any Linux or UNIX-like systems that supports PAM and NSS API However, there are caveats: AD user name is fully qualified: Administrator@AD.SAMBAXP = 24 characters FreeBSD systems have by default limit for user names of 16 letters even in FreeBSD 9+ The limit is kernel compile-time, http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133926 Other *BSD systems have similar issues Kerberos authentication might not be possible unless krb5.conf is explicitly configured on the client to recognize AD realms All authentication for legacy logons with AD credentials happens on IPA server
Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
Compatibility with Active Directory FreeIPA 3.3 was tested by a Microsoft team in summer 2013 against Windows Server 2012 build 9200. FreeIPA as a trusted realm to AD, passed 106/117 tests Failed only Claims or Compound Identity tests which Samba doesn’t support yet FreeIPA as a local realm to a Windows client, passed 69/117 tests Main issues: FreeIPA cannot return the correct error code (8 cases) FreeIPA does not contain attributes in AD (11 cases) FreeIPA does not support Claims or Compound Identity (11 cases) FreeIPA KDCOption and Flags Issue (7 cases) FreeIPA missing PA-DATA (1 case) FreeIPA configuration issue (2 cases) FreeIPA KDC is case sensitive (1 case) We plan to make a new test run with FreeIPA 4.0 in autumn 2014
DEMO
Questions & Answers Slides http://www.samba.org/~ab/sambaxp/2014/

Recommended

Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
LDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
MongoDB
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
LDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
LDAPCon
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
Kai Zheng
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 

Recommended

Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
LDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
MongoDB
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
LDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
LDAPCon
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
Kai Zheng
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
confluent
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
Sriharsha Chintalapani
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
Ram
RamRam
Ram
Rami reddy
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
LDAPCon
 
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembBuilding a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
StreamNative
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and Then
SATOSHI TAGOMORI
 
Nginx
NginxNginx
Nginx
Dhrubaji Mandal ♛
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
confluent
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco
Angel Borroy López
 
Consul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive ProgrammingConsul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive Programming
Rick Hightower
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_security
Adam Muise
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
StreamNative
 
Webinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesWebinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security Features
MongoDB
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
MarketingArrowECS_CZ
 
VPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel AvivVPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
Amazon Web Services
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
Md Waresul Islam
 
Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...
Pivorak MeetUp
 
Consul: Service-oriented at Scale
Consul: Service-oriented at ScaleConsul: Service-oriented at Scale
Consul: Service-oriented at Scale
C4Media
 
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Wen Zhu
 
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet
 

More Related Content

What's hot

Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
confluent
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
Sriharsha Chintalapani
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
Ram
RamRam
Ram
Rami reddy
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
LDAPCon
 
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembBuilding a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
StreamNative
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and Then
SATOSHI TAGOMORI
 
Nginx
NginxNginx
Nginx
Dhrubaji Mandal ♛
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
confluent
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco
Angel Borroy López
 
Consul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive ProgrammingConsul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive Programming
Rick Hightower
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_security
Adam Muise
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
StreamNative
 
Webinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesWebinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security Features
MongoDB
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
MarketingArrowECS_CZ
 
VPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel AvivVPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
Amazon Web Services
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
Md Waresul Islam
 
Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...
Pivorak MeetUp
 
Consul: Service-oriented at Scale
Consul: Service-oriented at ScaleConsul: Service-oriented at Scale
Consul: Service-oriented at Scale
C4Media
 

What's hot (20)

Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
Ram
RamRam
Ram
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
 
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembBuilding a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and Then
 
Nginx
NginxNginx
Nginx
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco
 
Consul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive ProgrammingConsul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive Programming
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_security
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Webinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesWebinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security Features
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
 
VPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel AvivVPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
 
Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...
 
Consul: Service-oriented at Scale
Consul: Service-oriented at ScaleConsul: Service-oriented at Scale
Consul: Service-oriented at Scale
 

Viewers also liked

Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Wen Zhu
 
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet
 
Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015
Steve Pember
 
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
mfrancis
 
Apache Camel Introduction & What's in the box
Apache Camel Introduction & What's in the boxApache Camel Introduction & What's in the box
Apache Camel Introduction & What's in the box
Claus Ibsen
 
Cloud Foundry Roadmap in 2016
Cloud Foundry Roadmap in 2016Cloud Foundry Roadmap in 2016
Cloud Foundry Roadmap in 2016
Cloud Standards Customer Council
 
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
Mark West
 
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix OverviewApache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
Marcelo Jabali
 
Creating Real-Time Data Mashups with Node.JS and Adobe CQ
Creating Real-Time Data Mashups with Node.JS and Adobe CQCreating Real-Time Data Mashups with Node.JS and Adobe CQ
Creating Real-Time Data Mashups with Node.JS and Adobe CQ
iCiDIGITAL
 
Microservices OSGi-running-with-apache-karaf
Microservices OSGi-running-with-apache-karafMicroservices OSGi-running-with-apache-karaf
Microservices OSGi-running-with-apache-karaf
Achim Nierbeck
 
Cloud Foundry Deployment Tools: BOSH vs Juju Charms
Cloud Foundry Deployment Tools: BOSH vs Juju CharmsCloud Foundry Deployment Tools: BOSH vs Juju Charms
Cloud Foundry Deployment Tools: BOSH vs Juju Charms
Altoros
 
Deployment Automation on OpenStack with TOSCA and Cloudify
Deployment Automation on OpenStack with TOSCA and CloudifyDeployment Automation on OpenStack with TOSCA and Cloudify
Deployment Automation on OpenStack with TOSCA and Cloudify
Cloudify Community
 
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
ManageIQ
 
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
Daniel Krook
 
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateCloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Animesh Singh
 
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
Kai Wähner
 
Template Languages for OpenStack - Heat and TOSCA
Template Languages for OpenStack - Heat and TOSCATemplate Languages for OpenStack - Heat and TOSCA
Template Languages for OpenStack - Heat and TOSCA
Cloud Native Day Tel Aviv
 

Viewers also liked (17)

Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
 
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
 
Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015
 
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
 
Apache Camel Introduction & What's in the box
Apache Camel Introduction & What's in the boxApache Camel Introduction & What's in the box
Apache Camel Introduction & What's in the box
 
Cloud Foundry Roadmap in 2016
Cloud Foundry Roadmap in 2016Cloud Foundry Roadmap in 2016
Cloud Foundry Roadmap in 2016
 
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
 
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix OverviewApache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
 
Creating Real-Time Data Mashups with Node.JS and Adobe CQ
Creating Real-Time Data Mashups with Node.JS and Adobe CQCreating Real-Time Data Mashups with Node.JS and Adobe CQ
Creating Real-Time Data Mashups with Node.JS and Adobe CQ
 
Microservices OSGi-running-with-apache-karaf
Microservices OSGi-running-with-apache-karafMicroservices OSGi-running-with-apache-karaf
Microservices OSGi-running-with-apache-karaf
 
Cloud Foundry Deployment Tools: BOSH vs Juju Charms
Cloud Foundry Deployment Tools: BOSH vs Juju CharmsCloud Foundry Deployment Tools: BOSH vs Juju Charms
Cloud Foundry Deployment Tools: BOSH vs Juju Charms
 
Deployment Automation on OpenStack with TOSCA and Cloudify
Deployment Automation on OpenStack with TOSCA and CloudifyDeployment Automation on OpenStack with TOSCA and Cloudify
Deployment Automation on OpenStack with TOSCA and Cloudify
 
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
 
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
 
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateCloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
 
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
 
Template Languages for OpenStack - Heat and TOSCA
Template Languages for OpenStack - Heat and TOSCATemplate Languages for OpenStack - Heat and TOSCA
Template Languages for OpenStack - Heat and TOSCA
 

Similar to SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba

Ldap2010
Ldap2010Ldap2010
Ldap2010
CYJ
 
MongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
MongoDB.local Dallas 2019: MongoDB Atlas for Your EnterpriseMongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
MongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
MongoDB
 
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your EnterpriseMongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
MongoDB
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
Kashif Khan
 
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
Amazon Web Services
 
Securing Spark Applications
Securing Spark ApplicationsSecuring Spark Applications
Securing Spark Applications
DataWorks Summit/Hadoop Summit
 
Confluent kafka meetupseattle jan2017
Confluent kafka meetupseattle jan2017Confluent kafka meetupseattle jan2017
Confluent kafka meetupseattle jan2017
Nitin Kumar
 
Webinar | Better Together: Apache Cassandra and Apache Kafka
Webinar | Better Together: Apache Cassandra and Apache KafkaWebinar | Better Together: Apache Cassandra and Apache Kafka
Webinar | Better Together: Apache Cassandra and Apache Kafka
DataStax
 
MongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your EnterpriseMongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Redis Labs
 
Cloudera Sandbox Event Guidelines For Workflow
Cloudera Sandbox Event Guidelines For WorkflowCloudera Sandbox Event Guidelines For Workflow
Cloudera Sandbox Event Guidelines For Workflow
Timothy Spann
 
batbern43 Self Service on a Big Data Platform
batbern43 Self Service on a Big Data Platformbatbern43 Self Service on a Big Data Platform
batbern43 Self Service on a Big Data Platform
BATbern
 
SSO with kerberos
SSO with kerberosSSO with kerberos
SSO with kerberos
Claudia Rosu
 
MongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
MongoDB.local Austin 2018: MongoDB Atlas for Your EnterpriseMongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
MongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
MongoDB
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Edson Oliveira
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Yahoo!デベロッパーネットワーク
 
How to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleHow to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScale
MariaDB plc
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2
Vinaykumar Hebballi
 
Securing Hadoop in an Enterprise Context (v2)
Securing Hadoop in an Enterprise Context (v2)Securing Hadoop in an Enterprise Context (v2)
Securing Hadoop in an Enterprise Context (v2)
Hellmar Becker
 
Securing Hadoop in an Enterprise Context
Securing Hadoop in an Enterprise ContextSecuring Hadoop in an Enterprise Context
Securing Hadoop in an Enterprise Context
DataWorks Summit/Hadoop Summit
 

Similar to SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba (20)

Ldap2010
Ldap2010Ldap2010
Ldap2010
 
MongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
MongoDB.local Dallas 2019: MongoDB Atlas for Your EnterpriseMongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
MongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
 
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your EnterpriseMongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
 
Securing Spark Applications
Securing Spark ApplicationsSecuring Spark Applications
Securing Spark Applications
 
Confluent kafka meetupseattle jan2017
Confluent kafka meetupseattle jan2017Confluent kafka meetupseattle jan2017
Confluent kafka meetupseattle jan2017
 
Webinar | Better Together: Apache Cassandra and Apache Kafka
Webinar | Better Together: Apache Cassandra and Apache KafkaWebinar | Better Together: Apache Cassandra and Apache Kafka
Webinar | Better Together: Apache Cassandra and Apache Kafka
 
MongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your EnterpriseMongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your Enterprise
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
 
Cloudera Sandbox Event Guidelines For Workflow
Cloudera Sandbox Event Guidelines For WorkflowCloudera Sandbox Event Guidelines For Workflow
Cloudera Sandbox Event Guidelines For Workflow
 
batbern43 Self Service on a Big Data Platform
batbern43 Self Service on a Big Data Platformbatbern43 Self Service on a Big Data Platform
batbern43 Self Service on a Big Data Platform
 
SSO with kerberos
SSO with kerberosSSO with kerberos
SSO with kerberos
 
MongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
MongoDB.local Austin 2018: MongoDB Atlas for Your EnterpriseMongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
MongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
 
How to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleHow to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScale
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2
 
Securing Hadoop in an Enterprise Context (v2)
Securing Hadoop in an Enterprise Context (v2)Securing Hadoop in an Enterprise Context (v2)
Securing Hadoop in an Enterprise Context (v2)
 
Securing Hadoop in an Enterprise Context
Securing Hadoop in an Enterprise ContextSecuring Hadoop in an Enterprise Context
Securing Hadoop in an Enterprise Context
 

Recently uploaded

Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
OECD Directorate for Financial and Enterprise Affairs
 
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
kekzed
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
OECD Directorate for Financial and Enterprise Affairs
 
Disaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other usesDisaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other uses
RIDHIMAGARG21
 
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
gpww3sf4
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
IEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdfIEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdf
Claudio Gallicchio
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
OECD Directorate for Financial and Enterprise Affairs
 
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfWhy Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Ben Linders
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
artemacademy2
 
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdfBRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
Robin Haunschild
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
ToshihiroIto4
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
samililja
 

Recently uploaded (20)

Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
 
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
 
Disaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other usesDisaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other uses
 
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
 
IEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdfIEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdf
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
 
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
 
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfWhy Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
 
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdfBRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
 

SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba

  • 1. Trusting Active Directory with FreeIPA: a story beyond Samba Alexander Bokovoy <ab@samba.org> Red Hat May 15th, 2014
  • 2. Trusting Active Directory with FreeIPA 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 3. Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 4. FreeIPA: http://www.freeipa.org I: Identity LDAP-based store for common objects (users, groups, hosts, services, ...) 389-ds as an LDAP server with FreeIPA server-side plugins MIT Kerberos KDC with FreeIPA driver Integrated certificate management with Dogtag Certificate Authority Python-based command line and Web management tools P: Policy Delegation and separation of access Flexible delegation of editing controls Host-based access controls to services: Everything is denied by default, define rules to allow <user or group[, source host]>→<host, service> Rules enforced at client side with SSSD project A: Audit Coming...
  • 6. Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 7. Kerberos cross-forest trusts FreeIPA deployment is a fully managed Kerberos realm Can be integrated with Windows as RFC4120-compliant Kerberos realm Traditional Kerberos trust management applies: on GNU/Linux side ~/.k5login should be defined to impersonate users with identities Does not scale well for thousands of users and hosts: a foreign realm principal impersonates our realm’s user requires additional management of special users to impersonate doubling the management effort mapping has to happen on every single machine. Manually?
  • 8. Active Directory native cross forest trusts Require two Active Directory domains AD domain establishes trust with another AD domain via LSA RPC AD uses LSA RPC to map incoming principals to SIDs technically: KDC + CLDAP + LSA RPC FreeIPA provides KDC and LDAP, Samba provides LSA RPC
  • 9. FreeIPA v3 architecture Full overview is available at http://freeipa.org/page/IPAv3_Architecture
  • 10. FreeIPA passdb backend Expansion of traditional LDAP passdb backend New schema objects and attributes to support trusted domain information Support for uid/gid ranges for multi-master replicas Kerberos principal creation for foreign domain account
  • 11. FreeIPA KDC backend Generates MS PAC information out of LDAP info and add to the ticket Allows to accept principals and tickets from a trusted cross forest realm Filters out SIDs for both incoming and outgoing trust paths Verifies and signs MS PAC coming from a trusted cross forest realm Checks authentication paths for non-hierarchical cross-realm
  • 12. FreeIPA configuration tools FreeIPA has command line (CLI) and Web user interfaces ipa trust-add creates new cross-forest trust CLI operates with Kerberos authentication Request is sent to FreeIPA server via XML-RPC over HTTPS with Kerberos auth FreeIPA uses S4U2Proxy Kerberos feature to allow constrained delegation Samba 4 Python bindings are used to establish trust Code runs under non-privileged account (apache) Uses Kerberos ticket obtained via XML-RPC with the help of mod kerb auth Issues Kerberos-authenticated LSA RPC requests to a local smbd Uses AD credentials or shared secret passed via XML-RPC request to talk to AD DC
  • 13. Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 14. Using FreeIPA services with AD credentials Use of FreeIPA client system with AD cross forest credentials: Client system is provisioned with ipa-client-install SSSD is configured during provisioning to talk to FreeIPA LDAP krb5.conf is configured to perform mapping of cross forest trusted realm principal to user name 1:1 without removing the realm, e.g. Administrator@AD.SAMBAXP becomes user ’Administrator@ad.sambaxp’ Manual auth to local rules in krb5.conf will not be needed with MIT Kerberos 1.12 once SSSD will provide a plugin to fetch these rules from the FreeIPA server
  • 15. Using FreeIPA services with AD credentials
  • 16. Using FreeIPA services with AD credentials On the IPA client, an SSH log-in causes following activity: SSH checks if user exists on the system SSSD handles the request and sees the user is not local. From IPA client SSSD sends LDAP extended operation to FreeIPA LDAP server. Extended operation on LDAP server results in calls to SSSD on the server to perform external domain user/group mapping in FreeIPA 3.0 SSSD uses Winbind on IPA server to resolve the mapping in FreeIPA 3.3 SSSD on IPA server performs the mapping natively against AD DCs UID/GID are returned to SSH, GSSAPI is used to log-in that ’local’ user SSSD uses MS PAC from the Kerberos ticket to fill up groups information, converting SIDs to groups using FreeIPA LDAP extended operation
  • 17. Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 18. Using FreeIPA services with AD credentials SSSD plays crucial role: it forwards ID resolution of AD users to IPA server and performs MS-PAC analysis Support for FreeIPA LDAP extended operation was added in SSSD 1.9 Older versions or machines without SSSD can’t use the feature, are we lost?
  • 19. Supporting ‘legacy clients’ FreeIPA provides a compatibility LDAP tree, cn=compat,cn=ipa,cn=sambaxp Compatibility tree re-exports IPA users for systems that cannot be configured against the primary tree When cross-forest trust is enabled, the compatibility tree shows AD users ipa-advise tool can be used to get configuration recipes for legacy clients
  • 20. Supporting ‘legacy clients’ A request comes from nss ldap, nslcd, or old version of SSSD over compatibility tree: Internally, search is performed over the primary tree If search does not succeed, FreeIPA decodes the request (uid=username ) is recognized as a user search by name (uidNumber=number ) is recognized as a user search by ID (&(cn=groupname )(objectClass=posixGroup)) is recognized as a group search by name (gidNumber=number ) is recognized as a group search by ID (memberuid=username ) is recognized as a group search by a member name Request is sent to SSSD for lookup, result is inserted into the compatibility tree LDAP bind operation is translated into PAM authentication request
  • 21. Supporting ‘legacy clients’ Compatibility tree works fine with any Linux or UNIX-like systems that supports PAM and NSS API However, there are caveats: AD user name is fully qualified: Administrator@AD.SAMBAXP = 24 characters FreeBSD systems have by default limit for user names of 16 letters even in FreeBSD 9+ The limit is kernel compile-time, http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133926 Other *BSD systems have similar issues Kerberos authentication might not be possible unless krb5.conf is explicitly configured on the client to recognize AD realms All authentication for legacy logons with AD credentials happens on IPA server
  • 22. Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 23. Compatibility with Active Directory FreeIPA 3.3 was tested by a Microsoft team in summer 2013 against Windows Server 2012 build 9200. FreeIPA as a trusted realm to AD, passed 106/117 tests Failed only Claims or Compound Identity tests which Samba doesn’t support yet FreeIPA as a local realm to a Windows client, passed 69/117 tests Main issues: FreeIPA cannot return the correct error code (8 cases) FreeIPA does not contain attributes in AD (11 cases) FreeIPA does not support Claims or Compound Identity (11 cases) FreeIPA KDCOption and Flags Issue (7 cases) FreeIPA missing PA-DATA (1 case) FreeIPA configuration issue (2 cases) FreeIPA KDC is case sensitive (1 case) We plan to make a new test run with FreeIPA 4.0 in autumn 2014
  • 24. DEMO
  • 25. Questions & Answers Slides http://www.samba.org/~ab/sambaxp/2014/