[Freeipa-users] Recomendations on multi-domain environments

Wed Sep 18 11:55:36 UTC 2013

On Wed, Sep 18, 2013 at 9:40 PM, Arturo Borrero <aborrero at cica.es> wrote:

> Hi there!
>
> This is my situation.
>
> I have some users of my main domain "cica.es".
>
> But I also maintain a database of users of others domain, ie "example.es".
>
> I can apply most of FreeIPA configuration to "cica.es" users: access to
> hosts, groups, policies, roles, etc..
>
> But users of "example.es" are dummy users, who just have an LDAP account
> in order to use virtual mailboxes in Postfix/Dovecot.
>
> Do anyone have any advice on how handle this situation?
>
> I see some options:
>  * create a second FreeIPA server, each to handle his own domain.
>  * get the main FreeIPA server to handle two complete different LDAP tree
> (with different root DNs, don't know if possible).
>  * integrate "example.es" users into specific groups, "prefix" or
> something each group and user.
>
> We are talking of about 2k users in total (main domain + secondary
> domain). In addition, there is the possibility to have more than two
> domains.
>
> How FreeIPA handles this multi-domain environment?
>
> Best regards.
>
> --
>

If your second domain is just for LDAP (this is a little similar to what I
did). It's not a fluid as you end up limited to the two domains.. .

Keep the FreeIPA for hosting cica.es to do your host polices etc. Then on
your virtual mailboxes two options we did was either:

- Change the default mail atribute in FreeIPA settings so a user would have
user.name at example.es rather than user.domain at cica.es in their mail
attribute then have the LDAP config lookup that rather than username
- The other simple alternative is simply have LDAP search the username and
append @example.es or not at all.

HTH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130918/ffac3d2c/attachment.htm>