[Freeipa-users] FreeIPA deployment questions (Open Directory)

Rob Crittenden rcritten at redhat.com
Wed Feb 15 05:16:44 UTC 2012 

Brian Topping wrote:
> I'm new to FreeIPA and have some questions.  I've searched the archives for similar articles and found https://www.redhat.com/archives/freeipa-users/2011-May/msg00040.html, but with some differences.  Please excuse my lack of knowledge, but hope that answers to these questions might help others through the archives.
>
> *** I saw the announcement that 2.1.4 from the updates-testing repo is "strongly advised".  In the previous message, I saw that deploying a production server on Fedora was a bad idea.  2.1.3 is the last version available on the CentOS repos.  Is that one reasonable to use?  Are there any gotchas that I should know about like disabling selinux?  Is 2.1.3 usable while waiting for 2.1.4 to hit the CentOS repos?

RHEL (and therefore CentOS) versioning can be misleading because it 
tends to not move much over time despite patches being added. ipa 
2.1.3-9 is more or less equivalent to FreeIPA 2.1.4 (a number of 
features are disabled, perhaps a patch or two not backported).

The advisory is to pick up the CSRF fix which can be found in both versions.

Deploying in production in Fedora can be fine you just have to accept 
that the window of support for any given release is relatively short 
(~13 months).

> *** AD synchronization is under active development, but I'm wanting to work with Open Directory.  The last references I've seen to it on the user list was with 1.x.  I've seen the opaque objects in the OD schema, realize the OD schema is rather fluid and understand that maintaining an integration like that may not be productive for such a small audience.  On the other hand, are there configurations with limited replication or referrals that might provide basic interoperability?  I haven't been too successful with getting Apache Directory Studio connected to FreeIPA so I can browse around, but does anyone have some insights they could share on this?  Anyone have FreeIPA working at any level with OpenDirectory that they could share insights about?

389-ds is our LDAP server so we generally support what it can do. AFAIK 
it does not do replication with OD. What is it you want to replicate, 
what direction, etc?

I've never used the Apache studio but others have reported success. It 
is probably just a matter of getting your basedn right (e.g. 
dc=example,dc=com) and perhaps providing a bind user (cn=Directory 
Manager). Are you getting specific error messages, that might help 
troubleshoot things.

regards

rob

More information about the Freeipa-users mailing list