[Freeipa-users] How to migrate from freeipa distribution to separate components

Wed Jan 13 16:10:30 UTC 2016

Re !

Thank both of you again for your answers, guys.

Simo, I would be very interested in this feature list in fact.
Do you know if there is a way to find it ?
I would really need it, it would help a lot.

Best regards.

Bahan

On Wed, Jan 13, 2016 at 4:11 PM, Martin Kosek <mkosek at redhat.com> wrote:

> On 01/13/2016 03:57 PM, bahan w wrote:
> > Re.
> >
> > Thanks both of you for your answers.
> >
> > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the
> same
> > kind of service that we want from IPA, even if it is not embedded in
> > integrated solution like IPA.
> >
> > I totally agree that IPA provides a lot of things but I am quite sure the
> > isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and
> a
> > cache client like sssd or nscd/nslcd can work.
>
> It "can" work. But home grown solutions like that require non-trivial
> effort to
> even get started.
>
> As soon as you have more requests on such home grown infrastructure, you
> will
> need to implement enhancements (like something cert or DNS related). At
> that
> moment, you may realize you are re-implementing what FreeIPA may support
> already. FreeIPA project was started for a reason :-)
>
> > Alexander, when I mention migration, I think of the following actions :
> > 1. Take the principals that we have for the KDC and recreate them in an
> MIT
> > Kerberos KDC architecture
> > 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an
> > openLDAP architecture
> >
> > Do you know if there is other things necessary to recreate in the LDAP or
> > in the KDC ?
> >
> > Additionnaly, do you have a list of points which could help to convince
> to
> > keep the freeipa architecture ?
> >
> > Best regards.
> >
> > Bahan
> >
> > On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy <abokovoy at redhat.com>
> > wrote:
> >
> >> On Wed, 13 Jan 2016, bahan w wrote:
> >>
> >>> Hello Simo !
> >>>
> >>> For the reason :
> >>> The production team wants to use only the two components openLDAP and
> MIT
> >>> Kerberos, possibily on different servers.
> >>>
> >>> For the explanation :
> >>> They want to install only MIT Kerberos and openLDAP.
> >>> We already have an existing FreeIPA installation, with users, groups,
> >>> principals, pwpolicies.
> >>> We would like to migrate this to an openLDAP for the users, groups and
> >>> pwpolicies, and to another MIT Kerberos for the principals (hope I'm
> not
> >>> forgetting anything).
> >>>
> >> FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA
> >> LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA
> >> schema.
> >>
> >> Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two
> >> dozen additional plugins. These plugins either don't exist for OpenLDAP
> >> at all or have different behavior and rely on different LDAP schema.
> >>
> >> In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be
> >> used by MIT Kerberos LDAP driver because it doesn't know about that
> >> data, and OpenLDAP server will not have the same behavior as expected by
> >> IPA clients (SSSD) for IPA-specific mode.
> >>
> >> Whatever your production team is thinking about this move, it is most
> >> certainly not properly thought out.
> >>
> >> --
> >> / Alexander Bokovoy
> >>
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160113/70e8d55c/attachment.htm>