<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> This would be the best option! But customer won't allow this :( Since the openLDAP is also used by other apps. So I need to sync them. Which means: - adding the new users (not so difficult) - removing old user (perhaps not too complicated) - replicating changes like a password update (for this one, I'm completely clueless). any idea? <div class="moz-signature"> -- Michaël Van de Borne Free Bird Computing SPRL - Gérant 104 rue d'Azebois, 6230 Thiméon Tel: +32(0)472 695716 Skype: mikemowgli TVA: BE0637.834.386 <a href="https://www.linkedin.com/in/micha%C3%ABl-van-de-borne-56409167">Linkedin profile</a> </div> <div class="moz-cite-prefix">Le 31-01-17 à 16:34, Martin Basti a écrit : </div> <blockquote cite="mid:4393499d-18a7-e87f-619c-dd3879ebc78e@redhat.com" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> Is there a possibility to migrate OpenLDAP to IPA DS and use only one source of Identity data? Martin^2 <div class="moz-cite-prefix">On 31.01.2017 16:30, Michaël Van de Borne wrote: </div> <blockquote cite="mid:204e9da7-ff30-9a36-e8d4-97c87c4069ea@gmail.com" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> mmmmh, ok, thank you. But indeed, I would need HBAC and sudo rules in the future. So I believe the only exit here is to keep openLDAP and FreeIPA in sync. Any clue on how to do this efficiently? <div class="moz-signature"> Thank you, Cheers, m. </div> <div class="moz-cite-prefix">Le 31-01-17 à 16:23, Alexander Bokovoy a écrit : </div> <blockquote cite="mid:20170131152327.4edj2n6g66qriif5@redhat.com" type="cite">On ti, 31 tammi 2017, Michaël Van de Borne wrote: <blockquote type="cite">Hello list, Here's my situation: I'm installing Hadoop for a customer, and the Hadoop cluster is secured with Kerberos. I used FreeIPA as a KDC. The customer uses openLDAP as a directory server. For now, our solution is to copy the whole openLDAP user base to FreeIPA, and then use FreeIPA for the identification and authorization (all the keytab stuff). </blockquote> you mean authentication, not authorization here. <blockquote type="cite">But keeping openLDAP and FreeIPA in sync is a nightmare, and I was wondering something: Would it be possible to configure SSSD to simultaneously target the openLDAP server to identify a user, and the FreeIPA server to get the tickets? </blockquote> Here is the thing: yes, you can do that by configuring explicitly identity and authentication providers in sssd.conf. Set identity provider to ldap and authentication provider to krb5, add necessary configuration parameters and that would work. No HBAC, no SUDO rules, etc, but that's what you want, it seems. Look at sssd-ldap and sssd-krb5 manual pages. When you configure identity provider to IPA or AD in sssd.conf, you are just setting defaults for all other providers to the defaults of IPA or AD provider. If you use a different identity provider, you'd need to define proper authentication. <blockquote type="cite">That way, we can avoid having to keep openLDAP and FreeIPA in sync... _*OR*_ Is there an efficient way to keep openLDAP and FreeIPA in sync? </blockquote> <blockquote type="cite">-- Manage your subscription for the Freeipa-users mailing list: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://freeipa.org">http://freeipa.org</a> for more info on the project </blockquote> </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </blockquote> </body> </html>