The school has had its own kerberos-ldap for a decade but its a one off they 
are cumputer science so have "rocket scientists" to run it....its not what we 
want to use as we need to consider "normal" user and windows admins who need to 
be able to use a solution...

Its good to know the kerberos linking up would work....another plus for 
IPA....because its probable that this will be a requirement further along, but 
if I have to look for something with all the bells and whistles its 100s of K 
and a long time to put it in, and huge opex costs....and TCO wise I dont see it 
as worthwhile (think oracle Identity).....hence something low cost that does 
90% of what we need ie the real core functionality is the only sane / cost 
effective way IMHO.

From: Simo Sorce [s...@redhat.com]
Sent: Friday, 27 May 2011 1:10 a.m.
To: Steven Jones
Cc: Christian Horn; Erinn Looney-Triggs; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

On Thu, 2011-05-26 at 05:51 +0000, Steven Jones wrote:
> Quickly as Im late.
> We are setting up cross realm from AD to a school who runs MIT Kerberos with 
> openldap underneath....A windows client in our domain can then connect to a 
> school resource where its connected to the school's centralised setup....
> So its possible, yes.
> Not with freeipa from what Ive seen posted, yet...next version I am assuming 
> so.

Freeipa does not give you UI or tools to do it, although creating a
Kerberos trust is a very simple matter using kadmin.local to create the
proper principals.

Everything else would work like in the Kerberos+openldap setup in the
school you meantion.

So it is technically possible, we simply do not yet make it easy for you
by providing wrappers.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to