Having a centralized Identity management is IMHO mandatory for every environment (not just from a auditing perspective, but maintinging local accounts is a pain in the ass), and since I’m “un-microsofting” the lab (great stuff, but my workrelated focus is shifting, so the lab has too)…long story short, canned the MS AD and replaced it with FreeIPA
FreeIPA is the upstream open-source project for Red Hat Identity Manager. It bundles a 389 Directory Server, MIT Kerberos, NTP, DNS and much more, which is pretty neat. I’m not going to cover the installation, since there is a great documentation on this matter.
Adding the Identity source to the VCSA a pretty straight forward. You’ll find the Identity Sources under:
Menu -> Administration -> Single Sign On -> Configuration -> Identity Sources -> Add Identity Source
Enter your Information
I used simple ldap for the Lab, but you should use ldaps for a production environment. Once everything is entered save the config with “save”, and you are good to go.
If everything is configured correctly you should see your users instantly.
I create local groups and add the groups from the identity source into them. So in this case I created a local group, and assigned the permissions at the global level, propagated them to the child Objects and added the external group to the local group. Sounds like double the work, but you can script the local group creation and it makes troubleshooting easier when you are not dependant on other departments managing i.e. the AD.
There are some great Articles on this Subject that really make your life easier if you read them before you click.