<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/18/2013 07:55 AM, Andrew Lau wrote:
<blockquote
cite="mid:CAD7dF9fd+3wFV8HXAuBZ_ryFLKu3+vZL7nY2EV0Ek75o=EVhng@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:tahoma,sans-serif"><br>
</div>
<div class="gmail_extra">
<div class="gmail_quote">On Wed, Sep 18, 2013 at 9:40 PM,
Arturo Borrero <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:aborrero@cica.es"
target="_blank">aborrero@cica.es</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi
there!<br>
<br>
This is my situation.<br>
<br>
I have some users of my main domain "<a
moz-do-not-send="true" href="http://cica.es"
target="_blank">cica.es</a>".<br>
<br>
But I also maintain a database of users of others domain,
ie "<a moz-do-not-send="true" href="http://example.es"
target="_blank">example.es</a>".<br>
<br>
I can apply most of FreeIPA configuration to "<a
moz-do-not-send="true" href="http://cica.es"
target="_blank">cica.es</a>" users: access to hosts,
groups, policies, roles, etc..<br>
<br>
But users of "<a moz-do-not-send="true"
href="http://example.es" target="_blank">example.es</a>"
are dummy users, who just have an LDAP account in order to
use virtual mailboxes in Postfix/Dovecot.<br>
<br>
Do anyone have any advice on how handle this situation?<br>
<br>
I see some options:<br>
* create a second FreeIPA server, each to handle his own
domain.<br>
* get the main FreeIPA server to handle two complete
different LDAP tree (with different root DNs, don't know
if possible).<br>
* integrate "<a moz-do-not-send="true"
href="http://example.es" target="_blank">example.es</a>"
users into specific groups, "prefix" or something each
group and user.<br>
<br>
We are talking of about 2k users in total (main domain +
secondary domain). In addition, there is the possibility
to have more than two domains.<br>
<br>
How FreeIPA handles this multi-domain environment?<br>
<br>
Best regards.<span><font color="#888888"><br>
<br>
-- <br>
</font></span></blockquote>
<div> </div>
<div><font color="#888888">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline">
</div>
</font><span style="font-family:tahoma,sans-serif">If your
second domain is just for LDAP (this is a little similar
to what I did). It's not a fluid as you end up limited
to the two domains.. .</span></div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif">
<br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif">Keep the FreeIPA for
hosting <a moz-do-not-send="true" href="http://cica.es/"
target="_blank">cica.es</a> to do your host polices etc.
Then on your virtual mailboxes two options we did was
either:</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif">- Change the default
mail atribute in FreeIPA settings so a user would have <a
moz-do-not-send="true"
href="mailto:user.name@example.es" target="_blank">user.name@example.es</a> rather
than <a moz-do-not-send="true"
href="mailto:user.domain@cica.es" target="_blank">user.domain@cica.es</a> in
their mail attribute then have the LDAP config lookup that
rather than username</div>
<div class="gmail_extra">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline">-
The other simple alternative is simply have LDAP search
the username and append @<a moz-do-not-send="true"
href="http://example.es/" target="_blank">example.es</a> or
not at all.</div>
</div>
<div class="gmail_extra">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline"><br>
</div>
</div>
<div class="gmail_extra">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline">
HTH</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
I am not sure that the answer above is 100% relevant to what has
been asked.<br>
The question was "should I merge two domains or keep them separate,
and if I merger the users into IPA how should I do it to be able to
differentiate users from two different original sources".<br>
At least this is how I interpreted the question.<br>
<br>
I would say "it depends".<br>
1) Are the users in two domains are same users? If yes then you
should follow advice above and merge.<br>
2) If users are actually different users then I would keep the two
namespaces separate and not merge. If you merge you would be able to
use groups and prefixes and may be special attributes but would not
be able to put users into different sub trees. Well... you can...
but the rest of the IPA would not see them if you do it right or
might be confused if you do it wrong. <br>
<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>