[Freeipa-users] FreeIPA – AD Trust Integration Option
Rob Crittenden
rcritten at redhat.com
Thu Jun 16 18:11:53 UTC 2016
Saqib N Ali wrote:
> Rob, is there a architecture document/diagram that describes how 389-ds
> in the FreeIPA w/ AD Trust setup?
You'll find a number of pages on freeipa.org.
rob
>
> On Thu, Jun 16, 2016 at 9:08 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Saqib N Ali wrote:
>
> Hi Alexander,
>
> I understand that with Trust to AD, we can use AD for System of
> Records
> for the User Accounts.
>
> We do want IPA to maintain the policies, but just want to use
> SunLDAP
> instead of 389 Directory Server for storing the policies. From
> Enterprise Architecture point of view, 389 Directory Server
> would be Yet
> Another Directory Server in our environment. It seems an
> overkill if we
> already have SunLDAP.
>
>
> 389-ds is an integral part of IPA, it isn't just a data sink.
>
> rob
>
> Thanks,
> Saqib
>
> On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy
> <abokovoy at redhat.com <mailto:abokovoy at redhat.com>
> <mailto:abokovoy at redhat.com <mailto:abokovoy at redhat.com>>> wrote:
>
> On Wed, 15 Jun 2016, Saqib N Ali wrote:
>
> Greetings,
>
> If we want to use the FreeIPA Active Directory Trust
> Integration
> Option,
> can we use an existing implementation of SunLDAP to
> store the
> Policies
> (e.g. sudo, hbac etc.)
>
> Essentially we don't to create another LDAP Directory
> just for
> storing the
> Policies.
>
> FreeIPA cannot work with another LDAP Directory. It is
> integrated
> solution that relies on the set of plugins in 389-ds
> directory, there
> are about dozen specialized plugins that come with FreeIPA
> itself.
>
> Trust to Active Directory option is part of that setup and
> cannot be
> done against another LDAP directory because it also relies
> on the
> specific plugins to 389-ds that don't exist in your SunLDAP.
>
> If you deploy FreeIPA, you cannot have it 'just for storing the
> policies'. It will be used for all kinds of objects. With
> trust to
> Active Directory you may opt to not create native IPA users
> but then
> these wouldn't be coming from your SunLDAP directory
> either, AD users
> would be coming from AD.
>
>
> --
> / Alexander Bokovoy
>
>
>
>
>
>
More information about the Freeipa-users
mailing list