<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 09/18/2013 07:55 AM, Andrew Lau wrote: <blockquote cite="mid:CAD7dF9fd+3wFV8HXAuBZ_ryFLKu3+vZL7nY2EV0Ek75o=EVhng@mail.gmail.com" type="cite"> <div dir="ltr"> <div class="gmail_default" style="font-family:tahoma,sans-serif"><br> </div> <div class="gmail_extra"> <div class="gmail_quote">On Wed, Sep 18, 2013 at 9:40 PM, Arturo Borrero <span dir="ltr"><<a moz-do-not-send="true" href="mailto:aborrero@cica.es" target="_blank">aborrero@cica.es</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi there!<br> <br> This is my situation.<br> <br> I have some users of my main domain "<a moz-do-not-send="true" href="http://cica.es" target="_blank">cica.es</a>".<br> <br> But I also maintain a database of users of others domain, ie "<a moz-do-not-send="true" href="http://example.es" target="_blank">example.es</a>".<br> <br> I can apply most of FreeIPA configuration to "<a moz-do-not-send="true" href="http://cica.es" target="_blank">cica.es</a>" users: access to hosts, groups, policies, roles, etc..<br> <br> But users of "<a moz-do-not-send="true" href="http://example.es" target="_blank">example.es</a>" are dummy users, who just have an LDAP account in order to use virtual mailboxes in Postfix/Dovecot.<br> <br> Do anyone have any advice on how handle this situation?<br> <br> I see some options:<br> * create a second FreeIPA server, each to handle his own domain.<br> * get the main FreeIPA server to handle two complete different LDAP tree (with different root DNs, don't know if possible).<br> * integrate "<a moz-do-not-send="true" href="http://example.es" target="_blank">example.es</a>" users into specific groups, "prefix" or something each group and user.<br> <br> We are talking of about 2k users in total (main domain + secondary domain). In addition, there is the possibility to have more than two domains.<br> <br> How FreeIPA handles this multi-domain environment?<br> <br> Best regards.<span><font color="#888888"><br> <br> -- <br> </font></span></blockquote> <div> </div> <div><font color="#888888"> <div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"> </div> </font><span style="font-family:tahoma,sans-serif">If your second domain is just for LDAP (this is a little similar to what I did). It's not a fluid as you end up limited to the two domains.. .</span></div> <div class="gmail_default" style="font-family:tahoma,sans-serif"> <br> </div> <div class="gmail_default" style="font-family:tahoma,sans-serif">Keep the FreeIPA for hosting <a moz-do-not-send="true" href="http://cica.es/" target="_blank">cica.es</a> to do your host polices etc. Then on your virtual mailboxes two options we did was either:</div> <div class="gmail_default" style="font-family:tahoma,sans-serif"><br> </div> <div class="gmail_default" style="font-family:tahoma,sans-serif">- Change the default mail atribute in FreeIPA settings so a user would have <a moz-do-not-send="true" href="mailto:user.name@example.es" target="_blank">user.name@example.es</a> rather than <a moz-do-not-send="true" href="mailto:user.domain@cica.es" target="_blank">user.domain@cica.es</a> in their mail attribute then have the LDAP config lookup that rather than username</div> <div class="gmail_extra"> <div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline">- The other simple alternative is simply have LDAP search the username and append @<a moz-do-not-send="true" href="http://example.es/" target="_blank">example.es</a> or not at all.</div> </div> <div class="gmail_extra"> <div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"><br> </div> </div> <div class="gmail_extra"> <div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"> HTH</div> </div> </div> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> I am not sure that the answer above is 100% relevant to what has been asked.<br> The question was "should I merge two domains or keep them separate, and if I merger the users into IPA how should I do it to be able to differentiate users from two different original sources".<br> At least this is how I interpreted the question.<br> <br> I would say "it depends".<br> 1) Are the users in two domains are same users? If yes then you should follow advice above and merge.<br> 2) If users are actually different users then I would keep the two namespaces separate and not merge. If you merge you would be able to use groups and prefixes and may be special attributes but would not be able to put users into different sub trees. Well... you can... but the rest of the IPA would not see them if you do it right or might be confused if you do it wrong. <br> <br> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>