A deployment wants to implement "User Based Authentication" (UBA) on their firewall. This is a Checkpoint Firewall-one. This firewall has the possibility to dynamically set up firewall rules based on the user. The firewall queries AD for all information required to do this. Part of these queries are the computer objects in AD. The Linux hosts are only in IdM. The deployment tried to create computer objects for the Linux hosts manually in AD, but this does not work, because AD must be able to communicate with the computer object, otherwise they are qualifeid as "disabled/offline" and it won't work.
For the above to work the idea is:
More details https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/62402.htm#o62423
This ticket is about item 1. above:
Compat tree is configured via cn=config, so it would require administrative (directory manager) privileges, which means it would be some extension of ipa-compat-manage. It would make sense, probably, to do it in a generic way by allowing to manage all subtrees.
simo: we are not sure if hosts in compat tree would help at all, Checkpoint One may do more checks than just this, would defer
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.