[Freeipa-users] Recomendations on multi-domain environments

Fri Sep 20 15:36:10 UTC 2013

On 09/18/2013 07:55 AM, Andrew Lau wrote:
>
> On Wed, Sep 18, 2013 at 9:40 PM, Arturo Borrero <aborrero at cica.es
> <mailto:aborrero at cica.es>> wrote:
>
>     Hi there!
>
>     This is my situation.
>
>     I have some users of my main domain "cica.es <http://cica.es>".
>
>     But I also maintain a database of users of others domain, ie
>     "example.es <http://example.es>".
>
>     I can apply most of FreeIPA configuration to "cica.es
>     <http://cica.es>" users: access to hosts, groups, policies, roles,
>     etc..
>
>     But users of "example.es <http://example.es>" are dummy users, who
>     just have an LDAP account in order to use virtual mailboxes in
>     Postfix/Dovecot.
>
>     Do anyone have any advice on how handle this situation?
>
>     I see some options:
>      * create a second FreeIPA server, each to handle his own domain.
>      * get the main FreeIPA server to handle two complete different
>     LDAP tree (with different root DNs, don't know if possible).
>      * integrate "example.es <http://example.es>" users into specific
>     groups, "prefix" or something each group and user.
>
>     We are talking of about 2k users in total (main domain + secondary
>     domain). In addition, there is the possibility to have more than
>     two domains.
>
>     How FreeIPA handles this multi-domain environment?
>
>     Best regards.
>
>     -- 
>
>  
> If your second domain is just for LDAP (this is a little similar to
> what I did). It's not a fluid as you end up limited to the two domains.. .
>
> Keep the FreeIPA for hosting cica.es <http://cica.es/> to do your host
> polices etc. Then on your virtual mailboxes two options we did was either:
>
> - Change the default mail atribute in FreeIPA settings so a user would
> have user.name at example.es <mailto:user.name at example.es> rather
> than user.domain at cica.es <mailto:user.domain at cica.es> in their mail
> attribute then have the LDAP config lookup that rather than username
> - The other simple alternative is simply have LDAP search the username
> and append @example.es <http://example.es/> or not at all.
>
> HTH
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

I am not sure that the answer above is 100% relevant to what has been asked.
The question was "should I merge two domains or keep them separate, and
if I merger the users into IPA how should I do it to be able to
differentiate users from two different original sources".
At least this is how I interpreted the question.

I would say "it depends".
1) Are the users in two domains are same users? If yes then you should
follow advice above and merge.
2) If users are actually different users then I would keep the two
namespaces separate and not merge. If you merge you would be able to use
groups and prefixes and may be special attributes but would not be able
to put users into different sub trees. Well... you can... but the rest
of the IPA would not see them if you do it right or might be confused if
you do it wrong.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130920/d9b57725/attachment.htm>