[Freeipa-users] Recomendations on multi-domain environments

Mon Sep 23 07:04:02 UTC 2013

On 20.9.2013 17:36, Dmitri Pal wrote:
> On 09/18/2013 07:55 AM, Andrew Lau wrote:
>>
>> On Wed, Sep 18, 2013 at 9:40 PM, Arturo Borrero <aborrero at cica.es
>> <mailto:aborrero at cica.es>> wrote:
>>
>>      Hi there!
>>
>>      This is my situation.
>>
>>      I have some users of my main domain "cica.es <http://cica.es>".
>>
>>      But I also maintain a database of users of others domain, ie
>>      "example.es <http://example.es>".
>>
>>      I can apply most of FreeIPA configuration to "cica.es
>>      <http://cica.es>" users: access to hosts, groups, policies, roles,
>>      etc..
>>
>>      But users of "example.es <http://example.es>" are dummy users, who
>>      just have an LDAP account in order to use virtual mailboxes in
>>      Postfix/Dovecot.
>>
>>      Do anyone have any advice on how handle this situation?
>>
>>      I see some options:
>>       * create a second FreeIPA server, each to handle his own domain.
>>       * get the main FreeIPA server to handle two complete different
>>      LDAP tree (with different root DNs, don't know if possible).
>>       * integrate "example.es <http://example.es>" users into specific
>>      groups, "prefix" or something each group and user.
>>
>>      We are talking of about 2k users in total (main domain + secondary
>>      domain). In addition, there is the possibility to have more than
>>      two domains.
>>
>>      How FreeIPA handles this multi-domain environment?
>>
>>      Best regards.
>>
>>      --
>>
>>
>> If your second domain is just for LDAP (this is a little similar to
>> what I did). It's not a fluid as you end up limited to the two domains.. .
>>
>> Keep the FreeIPA for hosting cica.es <http://cica.es/> to do your host
>> polices etc. Then on your virtual mailboxes two options we did was either:
>>
>> - Change the default mail atribute in FreeIPA settings so a user would
>> have user.name at example.es <mailto:user.name at example.es> rather
>> than user.domain at cica.es <mailto:user.domain at cica.es> in their mail
>> attribute then have the LDAP config lookup that rather than username
>> - The other simple alternative is simply have LDAP search the username
>> and append @example.es <http://example.es/> or not at all.
>>
>> HTH
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I am not sure that the answer above is 100% relevant to what has been asked.
> The question was "should I merge two domains or keep them separate, and
> if I merger the users into IPA how should I do it to be able to
> differentiate users from two different original sources".
> At least this is how I interpreted the question.
>
> I would say "it depends".
> 1) Are the users in two domains are same users? If yes then you should
> follow advice above and merge.
> 2) If users are actually different users then I would keep the two
> namespaces separate and not merge. If you merge you would be able to use
> groups and prefixes and may be special attributes but would not be able
> to put users into different sub trees. Well... you can... but the rest
> of the IPA would not see them if you do it right or might be confused if
> you do it wrong.

I would add one other point:
Try to be 'future-proof'. Are you 100% sure that you will never merge both 
sets of users? 'Never' is a long time ... (Remember that you will have to 
solve UID/GID/naming conflicts during the merge. It will be painful.)

What is the added value of two domains?

-- 
Petr^2 Spacek