[Freeipa-users] How to migrate from freeipa distribution to separate components
Alexander Bokovoy
abokovoy at redhat.com
Wed Jan 13 14:33:25 UTC 2016
On Wed, 13 Jan 2016, bahan w wrote:
>Hello Simo !
>
>For the reason :
>The production team wants to use only the two components openLDAP and MIT
>Kerberos, possibily on different servers.
>
>For the explanation :
>They want to install only MIT Kerberos and openLDAP.
>We already have an existing FreeIPA installation, with users, groups,
>principals, pwpolicies.
>We would like to migrate this to an openLDAP for the users, groups and
>pwpolicies, and to another MIT Kerberos for the principals (hope I'm not
>forgetting anything).
FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA
LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA
schema.
Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two
dozen additional plugins. These plugins either don't exist for OpenLDAP
at all or have different behavior and rely on different LDAP schema.
In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be
used by MIT Kerberos LDAP driver because it doesn't know about that
data, and OpenLDAP server will not have the same behavior as expected by
IPA clients (SSSD) for IPA-specific mode.
Whatever your production team is thinking about this move, it is most
certainly not properly thought out.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list