<HTML> <HEAD> <TITLE>389-ds and AD integration questions</TITLE> </HEAD> <BODY> Dear FreeIPA community, I have a bunch of requirements that I am looking forward from ipa-server. Please clarify if these are possible Background: We are planning to deploy 389-ds(formerly Fedora DS) as our core ldap server in a Multi-Master Replication scenario. We will be having set of slave server to cater at different locations. We want to integrate password authentication with MS Active Directory. 389-DS offers PAM Pass-thru plugin, but it has been quite difficult to configure the parameters and kerberos to get that working. Some of the features I am looking are <OL><LI>Easy setup of PAM Pass-thru setup. Where 389-ds queries Active Directory for password. <LI>Syncing new users automatically between AD and 389-ds including UNIX attributes in AD(after installing SFU 3.5). Though Windows Sync agreement does it, we are looking on a finer control over the OU’s and objectclass/attributes imported. <LI>Password change in unix world reflect on AD, <LI>Netgroups, adding hosts to the Directory server and have a inventory withhostname and IP address and/or perform basic host tasks. <LI>Create ACI’s such that support team has only access to create ldap accounts and update group memberships. <LI>How is the easy is it going to be if upgraded from 1.2.2 to 2.0? Any issues anticipated? </OL> I am still going through the vast Admin Guide, release notes, user config guide to get these answers and know more. Also let me know if it is worth waiting till 2.0 Thanks, Prashanth </BODY> </HTML>