[Freeipa-users] How to migrate from freeipa distribution to separate components

Simo Sorce simo at redhat.com
Wed Jan 13 15:10:52 UTC 2016 

On Wed, 2016-01-13 at 15:57 +0100, bahan w wrote:
> Re.
> 
> Thanks both of you for your answers.
> 
> Simo, MIT Kerberos and OpenLDAP can work on their own and provide the same
> kind of service that we want from IPA, even if it is not embedded in
> integrated solution like IPA.
> 
> I totally agree that IPA provides a lot of things but I am quite sure the
> isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and a
> cache client like sssd or nscd/nslcd can work.

I know they *can* work, but there is no "migration" path there because
they are not a solution, they are a bag of parts you need to manually
configure and integrate on your own.

> Alexander, when I mention migration, I think of the following actions :
> 1. Take the principals that we have for the KDC and recreate them in an MIT
> Kerberos KDC architecture

If you know how to deploy openldap+MIT kdc you should know how to do
this, if you do not  you should ask yourself if you can support your
plan, because you'll be on your own there.

> 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an
> openLDAP architecture

This is also just a matter of playing with LDIFs (depending on how close
or far the schema you'll chose for your custom soution is) and you
should know how to do this if you are planning on your own custom setup.
Again if you don't you should ask yourself how likely it is you'll be
able to support yourself.

> Do you know if there is other things necessary to recreate in the LDAP or
> in the KDC ?

Look at kdb5_ldap_util from MIT krb5.

> Additionnaly, do you have a list of points which could help to convince to
> keep the freeipa architecture ?

The FreeIPA installer goes through a few hundred steps just to set up
the system, and this does not take in accoount the integration plpugins
we built, and the management features that will be completely missing in
a bare openldap+mit system for things as simple as "allow a non-ldap
expert to create a user, manage its passwords and groups", also Access
control, delegation, etc... the feature list is huge.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list