[Freeipa-users] FreeIPA – AD Trust Integration Option
Rob Crittenden
rcritten at redhat.com
Thu Jun 16 16:08:27 UTC 2016
Saqib N Ali wrote:
> Hi Alexander,
>
> I understand that with Trust to AD, we can use AD for System of Records
> for the User Accounts.
>
> We do want IPA to maintain the policies, but just want to use SunLDAP
> instead of 389 Directory Server for storing the policies. From
> Enterprise Architecture point of view, 389 Directory Server would be Yet
> Another Directory Server in our environment. It seems an overkill if we
> already have SunLDAP.
389-ds is an integral part of IPA, it isn't just a data sink.
rob
> Thanks,
> Saqib
>
> On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy <abokovoy at redhat.com
> <mailto:abokovoy at redhat.com>> wrote:
>
> On Wed, 15 Jun 2016, Saqib N Ali wrote:
>
> Greetings,
>
> If we want to use the FreeIPA Active Directory Trust Integration
> Option,
> can we use an existing implementation of SunLDAP to store the
> Policies
> (e.g. sudo, hbac etc.)
>
> Essentially we don't to create another LDAP Directory just for
> storing the
> Policies.
>
> FreeIPA cannot work with another LDAP Directory. It is integrated
> solution that relies on the set of plugins in 389-ds directory, there
> are about dozen specialized plugins that come with FreeIPA itself.
>
> Trust to Active Directory option is part of that setup and cannot be
> done against another LDAP directory because it also relies on the
> specific plugins to 389-ds that don't exist in your SunLDAP.
>
> If you deploy FreeIPA, you cannot have it 'just for storing the
> policies'. It will be used for all kinds of objects. With trust to
> Active Directory you may opt to not create native IPA users but then
> these wouldn't be coming from your SunLDAP directory either, AD users
> would be coming from AD.
>
>
> --
> / Alexander Bokovoy
>
>
>
>
More information about the Freeipa-users
mailing list