[Freeipa-users] Questions about FreeIPA vs 389DS

Simo Sorce simo at redhat.com
Fri Sep 14 12:26:00 UTC 2012 

On Fri, 2012-09-14 at 08:31 +0100, mailing lists wrote:
> >>> the upcoming "IPAv3 Trust" feature seems very promising because AFAIK
> >>> no sinchronization is necessary, but by using IPA it seems very
> >>> restrictive to support current applications which need a LDAP
> >>> hierarchical tree, custom schema with custom objectclassess and
> >>> attributes, custom ACLs for applications...... I know about Directory
> >>> Server virtual views, but I'm worried about the consequences of low
> >>> level manipulation of the FreeIPA Directory Server instance.
> >>>
> >>> So how others are solving this paradox?
> >>> they run  389DS with (fractional) replication towards (or from)
> >>> FreeIPA 389DS?
> >>> they add custom schemas to FreeIPA 389DS?
> >>> the do low level manipulation of FreeIPA 389DS for ACLs, plugin
> >>> activation, ...?
> >>> what about upgrades after this modifications were done?
> > If you need this level of flexibility and customization 389 DS is
> > probably better for you than IPA.
> > It seems that you want to do a lot of "do it yourself" things. IPA is
> > more about "use as is with minor tweaks so that you do not need to do it
> > yourself".
> 
> I do not want "do it yourself" things if it isn't strictly necessary,
> but for the external aplications, the legacy ones, etc... it is
> necesary a minimum level de flexibility. My questions were about as
> other admins did to solve this inconvenient. Really anyone was in a
> similar situation? 

It is not clear to me what kind of flexibility you think you need.

The user tree is flat, but you can create a custom subtree and use
custom schema otherwise, just like with any LDAP server.
I have yet to find an application that dictates a hierarchical tree for
users.

> I wonder if it is possible configure 389DS with samba4 to create a
> forest trust with AD without FreeIPA ....

No, samba4 DC does not support yet trust relationships.
And Samba4 also only support using the embedded LDAP server, support for
using third party directories has been dropped a long while ago.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list