[Freeipa-users] FreeIPA – AD Trust Integration Option

Saqib N Ali saqib.n.ali at seagate.com
Thu Jun 16 16:15:32 UTC 2016 

Rob, is there a architecture document/diagram that describes how 389-ds in
the FreeIPA w/ AD Trust setup?

On Thu, Jun 16, 2016 at 9:08 AM, Rob Crittenden <rcritten at redhat.com> wrote:

> Saqib N Ali wrote:
>
>> Hi Alexander,
>>
>> I understand that with Trust to AD, we can use AD for System of Records
>> for the User Accounts.
>>
>> We do want IPA to maintain the policies, but just want to use SunLDAP
>> instead of 389 Directory Server for storing the policies. From
>> Enterprise Architecture point of view, 389 Directory Server would be Yet
>> Another Directory Server in our environment. It seems an overkill if we
>> already have SunLDAP.
>>
>
> 389-ds is an integral part of IPA, it isn't just a data sink.
>
> rob
>
> Thanks,
>> Saqib
>>
>> On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy <abokovoy at redhat.com
>> <mailto:abokovoy at redhat.com>> wrote:
>>
>>     On Wed, 15 Jun 2016, Saqib N Ali wrote:
>>
>>         Greetings,
>>
>>         If we want to use the FreeIPA Active Directory Trust Integration
>>         Option,
>>         can we use an existing implementation of SunLDAP to store the
>>         Policies
>>         (e.g. sudo, hbac etc.)
>>
>>         Essentially we don't to create another LDAP Directory just for
>>         storing the
>>         Policies.
>>
>>     FreeIPA cannot work with another LDAP Directory. It is integrated
>>     solution that relies on the set of plugins in 389-ds directory, there
>>     are about dozen specialized plugins that come with FreeIPA itself.
>>
>>     Trust to Active Directory option is part of that setup and cannot be
>>     done against another LDAP directory because it also relies on the
>>     specific plugins to 389-ds that don't exist in your SunLDAP.
>>
>>     If you deploy FreeIPA, you cannot have it 'just for storing the
>>     policies'. It will be used for all kinds of objects. With trust to
>>     Active Directory you may opt to not create native IPA users but then
>>     these wouldn't be coming from your SunLDAP directory either, AD users
>>     would be coming from AD.
>>
>>
>>     --
>>     / Alexander Bokovoy
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160616/e2edebb2/attachment.htm>

More information about the Freeipa-users mailing list