<div dir="ltr">Great! Thanks very much Simo. </div><div class="gmail_extra"> <div class="gmail_quote">On Tue, May 27, 2014 at 3:02 PM, Simo Sorce <<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Tue, 2014-05-27 at 14:24 -0300, tizo wrote: > On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek <<a href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>> wrote: > > > On 13.1.2014 15:50, Alexander Bokovoy wrote: > > > >> On Mon, 13 Jan 2014, tizo wrote: > >> > >>> Hi there, > >>> > >>> We have a working authentication system for GNU/Linux consisting in a Mit > >>> Kerberos Server, and an OpenLDAP directory with a particular structure. I > >>> was wondering if we could use Freeipa to administer those working > >>> components as they are, without having to deploy a new Freeipa server > >>> from > >>> scratch. > >>> > >> In short, no, it is not possible. > >> > > > > I would like to elaborate this a bit more: > > You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos system, > > but FreeIPA provides migrate-ds scripts which ease the transition from > > OpenLDAP. > > > > Please see > > <a href="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_" target="_blank">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_</a> > > Guide/Migrating_from_a_Directory_Server_to_IPA.html > > > > You need to migrate OpenLDAP data to one FreeIPA server and then you can > > simply create FreeIPA server replicas as need. > > > > In other words, the migrate-ds script is run only once even if you have > > multiple servers with replicated data. > > > > There are some limited capabilities for migration with user passwords, but > > I will let other people to elaborate - this is not area of my expertise. > > > > Let us know if you need any assistance during migration. > > > > -- > > Petr^2 Spacek > > > > I had discarded the Freeipa option, as we couldn't use our OpenLDAP server > and Kerberos as they were. Now, I am thinking that could be very useful for > us (because of another reason), but I have a question about it. In short: > can Freeipa internal LDAP server be used as any other LDAP server?. > > In detail: we have some Java applications that use authentication against > our actual OpenLDAP server. The LDAP authentication is used in this case, > with an overlay for password policies (as in > <a href="http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies" target="_blank">http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies</a>). The > users that would use Freeipa are a subset from the users that use the Java > applications. So, I would like that, at least at first, users from Java > applications continue authenticating as they are doing now. I don't know if > that can be done, and I have never worked with 389 directory service, so > any help is appreciated. </div></div>FreeIPA uses a full LDAPv3 compliant LDAP server called 389ds: <a href="http://port389.org" target="_blank">http://port389.org</a> It allows LDAP binds and extensions to schema just like any other fully featured LDAP server. Simo. -- Simo Sorce * Red Hat, Inc * New York </blockquote></div> </div>