Bug 1382418 - RFE: Configure IdM to authenticate users to an external LDAP
Summary: RFE: Configure IdM to authenticate users to an external LDAP
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-06 15:39 UTC by Arya Rajendran
Modified: 2020-06-11 13:01 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-12 08:49:51 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1271397 1 None None None 2021-01-20 06:05:38 UTC

Internal Links: 1271397

Comment 2 Martin Kosek 2016-10-12 08:49:51 UTC 
This request looks related to Bug 1271397, where IdM was requested to function as a meta directory, proxying authentication to other LDAPs. It was closed as WONTFIX with following reasoning:

~~~
[...]

Identity Management in RHEL cannot provide this capability by itself. It can provide the functionality partially, when IdM is in a Trust relationship with AD, AD users can authenticate via the LDAP compat tree (aiming legacy clients primarily):

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-legacy.html#legacy-trust-conf-server

The use case of interfacing also with other LDAP server is not on our roadmap or planned use cases. There are other products or approaches (including OpenLDAP as reported) that can be used as a Meta Directory.
~~~

It applies for this RFE as well. What I would like to highlight is that if the other LDAP server is Active Directory, IdM has native means of interoperating it with it, whether with IdM AD Trusts (recommended) or User Synchronization (Winsync, no longer developed).
Comment 9 Martin Kosek 2016-11-08 07:18:22 UTC 
We have discussed this request again within IdM Engineering group and thought that it might be actually solved with existing IdM user External Authentication via RADIUS protocol. IdM on RHEL-7.1 or later supports OTP via native OTP tokens, but also external OTP tokens where it connects via RADIUS. This channel could be used for forwarding the authentication if Kerberos is used.

This solution requires both IdM server and client (SSSD) to be RHEL-7.1 or later, but if customer adds RADIUS server with his existing LDAP instance as a backend, configures that server in IdM and configures users with external authentication, the authentication could work as requested.

This is related documentation for RADIUS proxy:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/otp.html#migrating-proprietary-otp

When IdM is configured that way, the user authentication credentials would be passed following way:

SSSD (RHEL-7.1+) ---> IdM Kerberos KDC (RHEL-7.1+) ---> RADIUS ---> Existing LDAP server

The limitation is that this solution does not work with bare `kinit <password>` as the Kerberos client libraries need to create armored FAST channel with existing credentials cache, to be able to send the clear-text password to the server. Some information on the topic are in:
https://fedorahosted.org/freeipa/ticket/4411
http://www.freeipa.org/page/V4/OTP#Implementation

It should work with properly configured SSSD though as it does have a keytab and sufficient material to create FAST channel automatically.
Note You need to log in before you can comment on or make changes to this bug.