[Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

Carlos Raúl Laguna carlosla1987 at gmail.com
Thu May 28 19:02:48 UTC 2015 

Thanks for the clarifications, one more question, does FreeIPA support
partial or fractional replications? Regards

2015-05-28 0:25 GMT-04:00 Alexander Bokovoy <abokovoy at redhat.com>:

> On Wed, 27 May 2015, Carlos Raúl Laguna wrote:
>
>> Hello Martin, Alexander
>>
>> Seem that the time shift is large between us, If i understand correctly,
>> compat tree will allow me to see all users, regardless they location
>> Windows or FreeIPA, however the kolab-specific attribute must come from
>> FreeIPA and Windows AD where the users entries lays. This means creating
>> custom object classes and attributes for AD schema them update compat
>> plugin to see the custom attribute.
>>
>> The second part where kolab needs to update some value in any of this
>> attribute, for example mailQuota it would be rejected and therefor it must
>> be done from Windows AD or FreeIPA, is this correct? Thanks both of you
>> for
>> your time and input in this matter. Regards
>>
> Just to make you absolutely clear: using compat tree will not help you
> at all. Nothing else in FreeIPA could help you in getting Kolab to work
> with both IPA and AD users at the same time.
>
> It would be nice if kolab could grow a capability to connect to multiple
> LDAP servers at the same time, with non-overlapping user and group
> trees. I don't think it is there now and I don't see other possibilities
> here.
>
>
>
>> 2015-05-27 4:46 GMT-04:00 Alexander Bokovoy <abokovoy at redhat.com>:
>>
>>  On Wed, 27 May 2015, Martin Kosek wrote:
>>>
>>>  On 05/27/2015 10:08 AM, Alexander Bokovoy wrote:
>>>>
>>>>  On Wed, 27 May 2015, Martin Kosek wrote:
>>>>>
>>>>>  On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote:
>>>>>>
>>>>>>  Hello Martin,
>>>>>>>
>>>>>>> The email deployment it is a groupware in this scenario Kolab, kolab
>>>>>>> use
>>>>>>> 389 ad as main backend and it require some kolab ldap specific
>>>>>>> attribute to
>>>>>>> work properly, this is not a problem in fact is quite easy to use
>>>>>>> freeipa
>>>>>>> as kolab backend, so far so good but the romance only get this far.
>>>>>>> Since
>>>>>>> we also use Windows Ad with forest-trust not all user are present in
>>>>>>> the
>>>>>>> FreeIPA directory and there it is where my problem lays. Since not
>>>>>>> all
>>>>>>> user
>>>>>>> are in the same box it become difficult to implement one mail system
>>>>>>> for
>>>>>>> all users. Regards
>>>>>>>
>>>>>>>
>>>>>> As I said, we have compat tree that allows LDAP BIND authentication
>>>>>> and
>>>>>> LDAP
>>>>>> identity (not enumeration) for both IPA users and AD users when realm
>>>>>> is in
>>>>>> place.
>>>>>>
>>>>>> You can even update the configuration of the compat tree and add the
>>>>>> kolab
>>>>>> specific fields to be generated there too. There was very similar
>>>>>> request on
>>>>>> freeipa-users. It was for vSphere, but dealing with very similar use
>>>>>> case and
>>>>>> the final solution:
>>>>>>
>>>>>> http://www.freeipa.org/page/HowTo/vsphere5_integration
>>>>>>
>>>>>> Would that approach work for you?
>>>>>>
>>>>>>  I don't think it will work. compat tree is run-time read-only view of
>>>>> the data coming from somewhere else. You need to have Kolab-specific
>>>>> data available somewhere to be able to inject it in the compat tree.
>>>>> Where would that data be stored for Kolab for AD-specific entries?
>>>>>
>>>>>
>>>> It would work as long as the attributes are in the "real" user entries
>>>> in
>>>> form
>>>> of custom attributes and compat plugin can be updated to add those to
>>>> compat view.
>>>>
>>>>  What real user entries you are talking about for AD users?
>>>
>>>  Additionally, Kolab wants to modify these custom attributes and compat
>>>
>>>> tree simply does not support modification, they all are refused.
>>>>>
>>>>>
>>>> If Kolab requires modifications, then this approach would not work with
>>>> current
>>>> FreeIPA implementation, yes.
>>>>
>>>>  No, we are not going into enabling modifications over compat tree, this
>>> is simply impossible to achieve, sorry.
>>> --
>>> / Alexander Bokovoy
>>>
>>>
>  --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150528/a202eb9a/attachment.htm>

More information about the Freeipa-users mailing list