[Freeipa-users] Questions about FreeIPA vs 389DS
Rich Megginson
rmeggins at redhat.com
Fri Sep 14 14:30:11 UTC 2012
On 09/14/2012 01:31 AM, mailing lists wrote:
> Hi,
>
>
> On 09/14/2012 12:43 AM, Dmitri Pal wrote:
>> On 09/13/2012 10:57 AM, Rich Megginson wrote:
>>> On 09/13/2012 07:01 AM, mailing lists wrote:
>>>> I need use services in an Active Directory environment and the
>>>> WinSync solution has important limitations, the MODRDN operation is
>>>> not handled correctly losing the relation with AD objects (it delete
>>>> and add the entry so a new SID and GUID is assigned),
>>> What version of 389-ds-base are you using?
> I did a test between W2008R2 and 389DS 1.2.10.2 and the result was that moving entries from the 389DS console, result in a delete/add operation in AD, so a new SID and GUID was generated, it broke the group membership and permissions of the AD entry and the relation between the 389DS entry and the AD entry also was broke.
This is a problem with the 389 console. It doesn't support entry move
or subtree rename. It is doing a delete/add. If you use ldapmodify
with changetype: modrdn you should be able to see entry moves and
subtree renames.
>
> I think it is related to Error #3 in the RHDS documentation:
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Troubleshooting.html
>
>>>> the upcoming "IPAv3 Trust" feature seems very promising because AFAIK
>>>> no sinchronization is necessary, but by using IPA it seems very
>>>> restrictive to support current applications which need a LDAP
>>>> hierarchical tree, custom schema with custom objectclassess and
>>>> attributes, custom ACLs for applications...... I know about Directory
>>>> Server virtual views, but I'm worried about the consequences of low
>>>> level manipulation of the FreeIPA Directory Server instance.
>>>>
>>>> So how others are solving this paradox?
>>>> they run 389DS with (fractional) replication towards (or from)
>>>> FreeIPA 389DS?
>>>> they add custom schemas to FreeIPA 389DS?
>>>> the do low level manipulation of FreeIPA 389DS for ACLs, plugin
>>>> activation, ...?
>>>> what about upgrades after this modifications were done?
>> If you need this level of flexibility and customization 389 DS is
>> probably better for you than IPA.
>> It seems that you want to do a lot of "do it yourself" things. IPA is
>> more about "use as is with minor tweaks so that you do not need to do it
>> yourself".
> I do not want "do it yourself" things if it isn't strictly necessary, but for the external aplications, the legacy ones, etc... it is necesary a minimum level de flexibility. My questions were about as other admins did to solve this inconvenient. Really anyone was in a similar situation?
>
> I wonder if it is possible configure 389DS with samba4 to create a forest trust with AD without FreeIPA ....
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list