[Freeipa-users] Chaining and FreeIPA Directory Server

Dmitri Pal dpal at redhat.com
Fri Jul 6 14:35:15 UTC 2012 

On 07/06/2012 10:24 AM, Phyo Kyaw wrote:
> Any idea?
>
>
> Thanks for prompt reply Rob. I was just experimenting if it is
> possible to setup in a way that users from IPA (A) can be made
> available on IPA (B), so that users from A can access clients in B.
>
> Thanks again.
>


With the latest DS bits in Fedora you might be able to set the following:

1) Create an IPA domain for advanced clients
2) Install a separate DS instance
3) Sync some of the IPA users into DS (would require some manual
configuration but I suspect is possible). No need to sync passwords though.
4) Use DS with PAM pass through capability. Configure SSSD on the DS
server to use IPA as the authentication and identity source.

This way you will be able to accomplish some part of what you are
looking for.

Dmitri
> On 5 July 2012 16:28, Rob Crittenden <rcritten at redhat.com> wrote:
>> Phyo Kyaw wrote:
>>> Dear all,
>>>
>>> server ipa-server-2.1.3-9.el6.x86_64
>>>
>>> This is probably a question for to Directory 389 users, but..
>>>
>>> I would like to chain (not master to master replication) users of two
>>> or more IPA servers. The first thing I did was trying to chain the IPA
>>> 389-ds servers by setting up chaining entries. The chaining entries
>>> work out the box on standard 389-DS, but on IPA 389-ds it won't start
>>> after adding ldap suffixes. The 389-ds error log only shows
>>>
>>> [05/Jul/2012:15:00:33 +0000] - Detected Disorderly Shutdown last time
>>> Directory Server was running, recovering database.
>>>
>>> Suffix entry
>>>
>>> dn:cn=cn\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>>> objectClass:nsMappingTree
>>> objectClass:extensibleObject
>>> objectClass:top
>>> cn:cn=dc=example,dc=com
>>> cn:"cn=dc=example,dc=com"
>>> nsslapd-backend:testusers
>>> nsslapd-state:backend
>>>
>>> Just wondering if FreeIPA has some other configuration or plugin that
>>> prevents/conflicts 389-DS to start. I am guess chaining is something
>>> if we have two or more IPAs in one infrastructure.
>>>
>> I don't know why this would cause the server to not start but IPA doesn't
>> support read-only replicas at this time. What is it you are trying to
>> achieve?
>>
>> rob
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list