[Freeipa-users] FreeIPA – AD Trust Integration Option
Saqib N Ali
saqib.n.ali at seagate.com
Thu Jun 16 16:15:32 UTC 2016
Rob, is there a architecture document/diagram that describes how 389-ds in
the FreeIPA w/ AD Trust setup?
On Thu, Jun 16, 2016 at 9:08 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> Saqib N Ali wrote:
>
>> Hi Alexander,
>>
>> I understand that with Trust to AD, we can use AD for System of Records
>> for the User Accounts.
>>
>> We do want IPA to maintain the policies, but just want to use SunLDAP
>> instead of 389 Directory Server for storing the policies. From
>> Enterprise Architecture point of view, 389 Directory Server would be Yet
>> Another Directory Server in our environment. It seems an overkill if we
>> already have SunLDAP.
>>
>
> 389-ds is an integral part of IPA, it isn't just a data sink.
>
> rob
>
> Thanks,
>> Saqib
>>
>> On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy <abokovoy at redhat.com
>> <mailto:abokovoy at redhat.com>> wrote:
>>
>> On Wed, 15 Jun 2016, Saqib N Ali wrote:
>>
>> Greetings,
>>
>> If we want to use the FreeIPA Active Directory Trust Integration
>> Option,
>> can we use an existing implementation of SunLDAP to store the
>> Policies
>> (e.g. sudo, hbac etc.)
>>
>> Essentially we don't to create another LDAP Directory just for
>> storing the
>> Policies.
>>
>> FreeIPA cannot work with another LDAP Directory. It is integrated
>> solution that relies on the set of plugins in 389-ds directory, there
>> are about dozen specialized plugins that come with FreeIPA itself.
>>
>> Trust to Active Directory option is part of that setup and cannot be
>> done against another LDAP directory because it also relies on the
>> specific plugins to 389-ds that don't exist in your SunLDAP.
>>
>> If you deploy FreeIPA, you cannot have it 'just for storing the
>> policies'. It will be used for all kinds of objects. With trust to
>> Active Directory you may opt to not create native IPA users but then
>> these wouldn't be coming from your SunLDAP directory either, AD users
>> would be coming from AD.
>>
>>
>> --
>> / Alexander Bokovoy
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160616/e2edebb2/attachment.htm>
More information about the Freeipa-users
mailing list