Bug 1382418

Summary: RFE: Configure IdM to authenticate users to an external LDAP
Product: Red Hat Enterprise Linux 7 Reporter: Arya Rajendran <arajendr>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: Kaleem <ksiddiqu>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: ahoness, gparente, mkosek, pvoborni, rcritten, sbose
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-12 08:49:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Comment 2 Martin Kosek 2016-10-12 08:49:51 UTC 
This request looks related to Bug 1271397, where IdM was requested to function as a meta directory, proxying authentication to other LDAPs. It was closed as WONTFIX with following reasoning:

~~~
[...]

Identity Management in RHEL cannot provide this capability by itself. It can provide the functionality partially, when IdM is in a Trust relationship with AD, AD users can authenticate via the LDAP compat tree (aiming legacy clients primarily):

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-legacy.html#legacy-trust-conf-server

The use case of interfacing also with other LDAP server is not on our roadmap or planned use cases. There are other products or approaches (including OpenLDAP as reported) that can be used as a Meta Directory.
~~~

It applies for this RFE as well. What I would like to highlight is that if the other LDAP server is Active Directory, IdM has native means of interoperating it with it, whether with IdM AD Trusts (recommended) or User Synchronization (Winsync, no longer developed).
Comment 9 Martin Kosek 2016-11-08 07:18:22 UTC 
We have discussed this request again within IdM Engineering group and thought that it might be actually solved with existing IdM user External Authentication via RADIUS protocol. IdM on RHEL-7.1 or later supports OTP via native OTP tokens, but also external OTP tokens where it connects via RADIUS. This channel could be used for forwarding the authentication if Kerberos is used.

This solution requires both IdM server and client (SSSD) to be RHEL-7.1 or later, but if customer adds RADIUS server with his existing LDAP instance as a backend, configures that server in IdM and configures users with external authentication, the authentication could work as requested.

This is related documentation for RADIUS proxy:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/otp.html#migrating-proprietary-otp

When IdM is configured that way, the user authentication credentials would be passed following way:

SSSD (RHEL-7.1+) ---> IdM Kerberos KDC (RHEL-7.1+) ---> RADIUS ---> Existing LDAP server

The limitation is that this solution does not work with bare `kinit <password>` as the Kerberos client libraries need to create armored FAST channel with existing credentials cache, to be able to send the clear-text password to the server. Some information on the topic are in:
https://fedorahosted.org/freeipa/ticket/4411
http://www.freeipa.org/page/V4/OTP#Implementation

It should work with properly configured SSSD though as it does have a keytab and sufficient material to create FAST channel automatically.