Dear FreeIPA community,

I have a bunch of requirements that I am looking forward from ipa-server. Please clarify if these are possible

Background: We are planning to deploy 389-ds(formerly Fedora DS) as our core ldap server in a Multi-Master Replication scenario. We will be having set of slave server to cater at different locations. We want to integrate password authentication with MS Active Directory. 389-DS offers PAM Pass-thru plugin, but it has been quite difficult to configure the parameters and kerberos to get that working. Some of the features I am looking are

   1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active
      Directory for password.

If you have PAM Kerberos auth working, you should be able to use PAM Pass thru. I don't know the details though, but I do know that this is one of the primary use cases, to allow simple bind (username/password auth) clients to use their kerberos password.


   2. Syncing new users automatically between AD and 389-ds including
      UNIX attributes in AD(after installing SFU 3.5). Though Windows
      Sync agreement does it, we are looking on a finer control over
      the OU’s and objectclass/attributes imported.

The IPA winsync plugin will add missing posix attributes when syncing a new user entry from AD to IPA. It will not keep them in sync.


   2. Password change in unix world reflect on AD,

Yes. IPA winsync will sync password changes from IPA to AD.


   2. Netgroups, adding hosts to the Directory server and have a
      inventory withhostname and IP address and/or perform basic host

Winsync will not sync the netgroups schema.


   2. Create ACI’s such that support team has only access to create
      ldap accounts and update group memberships.
   3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0?
      Any issues anticipated?

I am still going through the vast Admin Guide, release notes, user config guide to get these answers and know more. Also let me know if it is worth waiting till 2.0


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-users mailing list

Reply via email to