[Freeipa-users] FreeIPA – AD Trust Integration Option

Rob Crittenden rcritten at redhat.com
Thu Jun 16 18:11:53 UTC 2016 

Saqib N Ali wrote:
> Rob, is there a architecture document/diagram that describes how 389-ds
> in the FreeIPA w/ AD Trust setup?

You'll find a number of pages on freeipa.org.

rob

>
> On Thu, Jun 16, 2016 at 9:08 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     Saqib N Ali wrote:
>
>         Hi Alexander,
>
>         I understand that with Trust to AD, we can use AD for System of
>         Records
>         for the User Accounts.
>
>         We do want IPA to maintain the policies, but just want to use
>         SunLDAP
>         instead of 389 Directory Server for storing the policies. From
>         Enterprise Architecture point of view, 389 Directory Server
>         would be Yet
>         Another Directory Server in our environment. It seems an
>         overkill if we
>         already have SunLDAP.
>
>
>     389-ds is an integral part of IPA, it isn't just a data sink.
>
>     rob
>
>         Thanks,
>         Saqib
>
>         On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy
>         <abokovoy at redhat.com <mailto:abokovoy at redhat.com>
>         <mailto:abokovoy at redhat.com <mailto:abokovoy at redhat.com>>> wrote:
>
>              On Wed, 15 Jun 2016, Saqib N Ali wrote:
>
>                  Greetings,
>
>                  If we want to use the FreeIPA Active Directory Trust
>         Integration
>                  Option,
>                  can we use an existing implementation of SunLDAP to
>         store the
>                  Policies
>                  (e.g. sudo, hbac etc.)
>
>                  Essentially we don't to create another LDAP Directory
>         just for
>                  storing the
>                  Policies.
>
>              FreeIPA cannot work with another LDAP Directory. It is
>         integrated
>              solution that relies on the set of plugins in 389-ds
>         directory, there
>              are about dozen specialized plugins that come with FreeIPA
>         itself.
>
>              Trust to Active Directory option is part of that setup and
>         cannot be
>              done against another LDAP directory because it also relies
>         on the
>              specific plugins to 389-ds that don't exist in your SunLDAP.
>
>              If you deploy FreeIPA, you cannot have it 'just for storing the
>              policies'. It will be used for all kinds of objects. With
>         trust to
>              Active Directory you may opt to not create native IPA users
>         but then
>              these wouldn't be coming from your SunLDAP directory
>         either, AD users
>              would be coming from AD.
>
>
>              --
>              / Alexander Bokovoy
>
>
>
>
>
>

More information about the Freeipa-users mailing list