[Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.
Martin Kosek
mkosek at redhat.com
Fri May 29 07:59:52 UTC 2015
Only a very basic "fractional replication" - you can remove selected attributes
from replicating. It is possible even now and can be configured on each
replication agreement:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/managing-fractional-repl.html
In FreeIPA 4.2, it should be possible to set that centrally:
https://fedorahosted.org/freeipa/ticket/4302
Martin
On 05/28/2015 09:02 PM, Carlos Raúl Laguna wrote:
> Thanks for the clarifications, one more question, does FreeIPA support partial
> or fractional replications? Regards
>
> 2015-05-28 0:25 GMT-04:00 Alexander Bokovoy <abokovoy at redhat.com
> <mailto:abokovoy at redhat.com>>:
>
> On Wed, 27 May 2015, Carlos Raúl Laguna wrote:
>
> Hello Martin, Alexander
>
> Seem that the time shift is large between us, If i understand correctly,
> compat tree will allow me to see all users, regardless they location
> Windows or FreeIPA, however the kolab-specific attribute must come from
> FreeIPA and Windows AD where the users entries lays. This means creating
> custom object classes and attributes for AD schema them update compat
> plugin to see the custom attribute.
>
> The second part where kolab needs to update some value in any of this
> attribute, for example mailQuota it would be rejected and therefor it must
> be done from Windows AD or FreeIPA, is this correct? Thanks both of you for
> your time and input in this matter. Regards
>
> Just to make you absolutely clear: using compat tree will not help you
> at all. Nothing else in FreeIPA could help you in getting Kolab to work
> with both IPA and AD users at the same time.
>
> It would be nice if kolab could grow a capability to connect to multiple
> LDAP servers at the same time, with non-overlapping user and group
> trees. I don't think it is there now and I don't see other possibilities
> here.
>
>
>
> 2015-05-27 4:46 GMT-04:00 Alexander Bokovoy <abokovoy at redhat.com
> <mailto:abokovoy at redhat.com>>:
>
> On Wed, 27 May 2015, Martin Kosek wrote:
>
> On 05/27/2015 10:08 AM, Alexander Bokovoy wrote:
>
> On Wed, 27 May 2015, Martin Kosek wrote:
>
> On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote:
>
> Hello Martin,
>
> The email deployment it is a groupware in this
> scenario Kolab, kolab
> use
> 389 ad as main backend and it require some kolab
> ldap specific
> attribute to
> work properly, this is not a problem in fact is
> quite easy to use
> freeipa
> as kolab backend, so far so good but the romance
> only get this far.
> Since
> we also use Windows Ad with forest-trust not all
> user are present in
> the
> FreeIPA directory and there it is where my problem
> lays. Since not all
> user
> are in the same box it become difficult to
> implement one mail system
> for
> all users. Regards
>
>
> As I said, we have compat tree that allows LDAP BIND
> authentication and
> LDAP
> identity (not enumeration) for both IPA users and AD
> users when realm
> is in
> place.
>
> You can even update the configuration of the compat
> tree and add the
> kolab
> specific fields to be generated there too. There was
> very similar
> request on
> freeipa-users. It was for vSphere, but dealing with
> very similar use
> case and
> the final solution:
>
> http://www.freeipa.org/page/HowTo/vsphere5_integration
>
> Would that approach work for you?
>
> I don't think it will work. compat tree is run-time
> read-only view of
> the data coming from somewhere else. You need to have
> Kolab-specific
> data available somewhere to be able to inject it in the
> compat tree.
> Where would that data be stored for Kolab for AD-specific
> entries?
>
>
> It would work as long as the attributes are in the "real" user
> entries in
> form
> of custom attributes and compat plugin can be updated to add
> those to
> compat view.
>
> What real user entries you are talking about for AD users?
>
> Additionally, Kolab wants to modify these custom attributes and
> compat
>
> tree simply does not support modification, they all are
> refused.
>
>
> If Kolab requires modifications, then this approach would not
> work with
> current
> FreeIPA implementation, yes.
>
> No, we are not going into enabling modifications over compat tree, this
> is simply impossible to achieve, sorry.
> --
> / Alexander Bokovoy
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
> --
> / Alexander Bokovoy
>
>
>
>
More information about the Freeipa-users
mailing list