[Freeipa-users] Migration from OpenLDAP

tizo tizone at gmail.com
Tue May 27 18:49:37 UTC 2014 

Great! Thanks very much Simo.


On Tue, May 27, 2014 at 3:02 PM, Simo Sorce <simo at redhat.com> wrote:

> On Tue, 2014-05-27 at 14:24 -0300, tizo wrote:
> > On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek <pspacek at redhat.com> wrote:
> >
> > > On 13.1.2014 15:50, Alexander Bokovoy wrote:
> > >
> > >> On Mon, 13 Jan 2014, tizo wrote:
> > >>
> > >>> Hi there,
> > >>>
> > >>> We have a working authentication system for GNU/Linux consisting in
> a Mit
> > >>> Kerberos Server, and an OpenLDAP directory with a particular
> structure. I
> > >>> was wondering if we could use Freeipa to administer those working
> > >>> components as they are, without having to deploy a new Freeipa server
> > >>> from
> > >>> scratch.
> > >>>
> > >> In short, no, it is not possible.
> > >>
> > >
> > > I would like to elaborate this a bit more:
> > > You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos
> system,
> > > but FreeIPA provides migrate-ds scripts which ease the transition from
> > > OpenLDAP.
> > >
> > > Please see
> > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_
> > > Guide/Migrating_from_a_Directory_Server_to_IPA.html
> > >
> > > You need to migrate OpenLDAP data to one FreeIPA server and then you
> can
> > > simply create FreeIPA server replicas as need.
> > >
> > > In other words, the migrate-ds script is run only once even if you have
> > > multiple servers with replicated data.
> > >
> > > There are some limited capabilities for migration with user passwords,
> but
> > > I will let other people to elaborate - this is not area of my
> expertise.
> > >
> > > Let us know if you need any assistance during migration.
> > >
> > > --
> > > Petr^2 Spacek
> > >
> >
> > I had discarded the Freeipa option, as we couldn't use our OpenLDAP
> server
> > and Kerberos as they were. Now, I am thinking that could be very useful
> for
> > us (because of another reason), but I have a question about it. In short:
> > can Freeipa internal LDAP server be used as any other LDAP server?.
> >
> > In detail: we have some Java applications that use authentication against
> > our actual OpenLDAP server. The LDAP authentication is used in this case,
> > with an overlay for password policies (as in
> > http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies).
> The
> > users that would use Freeipa are a subset from the users that use the
> Java
> > applications. So, I would like that, at least at first, users from Java
> > applications continue authenticating as they are doing now. I don't know
> if
> > that can be done, and I have never worked with 389 directory service, so
> > any help is appreciated.
>
> FreeIPA uses a full LDAPv3 compliant LDAP server called 389ds:
> http://port389.org
>
> It allows LDAP binds and extensions to schema just like any other fully
> featured LDAP server.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140527/e10d48d5/attachment.htm>

More information about the Freeipa-users mailing list