#4867 [RFE] Support trust with other FreeIPA realm
Opened 10 years ago by mkosek. Modified 4 months ago

FreeIPA supports trusts with AD (mostly in AD -> IPA direction, the other direction will be ready when #3125 is closed).

When the full AD trust is ready, the implemented interface shall be also used to create trust with other FreeIPA DCs.


#3125 is a pre-requisite for this work, which by it's own is a stretch. This RFE will thus rather land in later release.

Metadata Update from @mkosek:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Metadata Update from @abbra:
- Issue close_status updated to: None
- Issue set to the milestone: Global Catalog and IPA-IPA trust (was: FreeIPA 4.5 backlog)

3 years ago

Notes:
- IPA ID range detection needs to be added to allow pulling ID range info from an IPA deployment to be trusted. Right now just apply the same lookup as in AD case and this is not pulling the right range.

Status:
- https://github.com/abbra/freeipa/tree/wip-ipa-ipa-trust contains current changes to support trust between two IPA deployments. It is still preliminary as a way to establish trust will change.
- IPA and SSSD changes are available in https://copr.fedorainfracloud.org/coprs/abbra/wip-ipa-trust/, can be tested with Fedora 40/41.

Attached tarball contains ansible playbook that can be used to configure and exercise trust between two IPA deployments. Instructions are available inside the tarball.
local-ipa-ipa-trust-demo.tar

Log in to comment on this ticket.

Metadata
Attachments 1