[Freeipa-users] Migration from OpenLDAP

tizo tizone at gmail.com
Tue May 27 17:24:08 UTC 2014 

On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek <pspacek at redhat.com> wrote:

> On 13.1.2014 15:50, Alexander Bokovoy wrote:
>
>> On Mon, 13 Jan 2014, tizo wrote:
>>
>>> Hi there,
>>>
>>> We have a working authentication system for GNU/Linux consisting in a Mit
>>> Kerberos Server, and an OpenLDAP directory with a particular structure. I
>>> was wondering if we could use Freeipa to administer those working
>>> components as they are, without having to deploy a new Freeipa server
>>> from
>>> scratch.
>>>
>> In short, no, it is not possible.
>>
>
> I would like to elaborate this a bit more:
> You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos system,
> but FreeIPA provides migrate-ds scripts which ease the transition from
> OpenLDAP.
>
> Please see
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_
> Guide/Migrating_from_a_Directory_Server_to_IPA.html
>
> You need to migrate OpenLDAP data to one FreeIPA server and then you can
> simply create FreeIPA server replicas as need.
>
> In other words, the migrate-ds script is run only once even if you have
> multiple servers with replicated data.
>
> There are some limited capabilities for migration with user passwords, but
> I will let other people to elaborate - this is not area of my expertise.
>
> Let us know if you need any assistance during migration.
>
> --
> Petr^2 Spacek
>

I had discarded the Freeipa option, as we couldn't use our OpenLDAP server
and Kerberos as they were. Now, I am thinking that could be very useful for
us (because of another reason), but I have a question about it. In short:
can Freeipa internal LDAP server be used as any other LDAP server?.

In detail: we have some Java applications that use authentication against
our actual OpenLDAP server. The LDAP authentication is used in this case,
with an overlay for password policies (as in
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies). The
users that would use Freeipa are a subset from the users that use the Java
applications. So, I would like that, at least at first, users from Java
applications continue authenticating as they are doing now. I don't know if
that can be done, and I have never worked with 389 directory service, so
any help is appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140527/6823f1ca/attachment.htm>

More information about the Freeipa-users mailing list