[Freeipa-users] 389-ds to free-ipa transition; transparent?

Brian LaMere brian at cukerinteractive.com
Thu Sep 2 20:10:35 UTC 2010 

On Tue, Aug 24, 2010 at 6:16 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Brian LaMere wrote:
>
>> Yes, if not easier. It is just 389-ds under the hood, we have some simple
>> management tools that create the agreements for you. Since we use our own CA
>> SSL is easy as well.
>
>
if I already have certs for the servers that would be running the IPA, would
it be easy enough to use those?  I ask because my gold images come out of
the box already trusting my ldap servers, which means using someone else's
CA can potentially be a concern.  That's not a show-stopper, because I can
work around that anyway.


> Depending on your configuration the data migration should be relatively
> straightforward but know that the IPA DIT is completely flat. All users are
> in one container, groups in another, etc.


I have to admit that while I'm very good at some things, I was only "ok"
with ldap way back long long ago when I did anything with it.  I just
created a custom schema with a couple hundred attributeTypes and a couple
dozen objectclasses so that I can manage a lot of different things within
ldap (single point of pluggable info to allow an object-oriented framework,
independent of what tools are used).  So when I read your "the IPA DIT is
completely flat" statement I got a bit worried.  Much of what I am doing
will be far more difficult if I can't give texture to things, and my
understanding is that a "completely flat DIT" is very difficult to create
good aci's against.

I know that the obvious answer is to just install it, and look and see if it
does what I want anyway ;)  But without spending time to do that...if I
leave the users/groups in their current flat places, could I add texture to
the DIT elsewhere (aci's are almost vital for what I'm doing; I want to
expose methods, which means I can't just "trust" tools or hosts) without
causing problems for FreeIPA?

It's a lazy bred not out of laziness of not wanting to just experiment and
test myself, but out of having a high workload; I'd like to use FreeIPA, and
am just wondering if the above question has an obvious answer that doesn't
even need to be tested.

Thanks,
Brian LaMere
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100902/8c8533b8/attachment.htm>

More information about the Freeipa-users mailing list