[Freeipa-users] FreeIPA – AD Trust Integration Option

[Saqib N Ali]

Hi Alexander,

I understand that with Trust to AD, we can use AD for System of Records for
the User Accounts.

We do want IPA to maintain the policies, but just want to use SunLDAP
instead of 389 Directory Server for storing the policies. From Enterprise
Architecture point of view, 389 Directory Server would be Yet Another
Directory Server in our environment. It seems an overkill if we already
have SunLDAP.

Thanks,
Saqib

On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Wed, 15 Jun 2016, Saqib N Ali wrote:
>
>> Greetings,
>>
>> If we want to use the FreeIPA Active Directory Trust Integration Option,
>> can we use an existing implementation of SunLDAP to store the Policies
>> (e.g. sudo, hbac etc.)
>>
>> Essentially we don't to create another LDAP Directory just for storing the
>> Policies.
>>
> FreeIPA cannot work with another LDAP Directory. It is integrated
> solution that relies on the set of plugins in 389-ds directory, there
> are about dozen specialized plugins that come with FreeIPA itself.
>
> Trust to Active Directory option is part of that setup and cannot be
> done against another LDAP directory because it also relies on the
> specific plugins to 389-ds that don't exist in your SunLDAP.
>
> If you deploy FreeIPA, you cannot have it 'just for storing the
> policies'. It will be used for all kinds of objects. With trust to
> Active Directory you may opt to not create native IPA users but then
> these wouldn't be coming from your SunLDAP directory either, AD users
> would be coming from AD.
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160616/984eda77/attachment.htm>