I'm a sysadmin at a smallish department at my university. We're
investigating FreeIPA to replace our homegrown openldap/perl script user
management stuff. The difficulty we're facing is that university has
standardized on Active Directory and they've got it pretty well locked
down. We currently use the university's kerberos for authentication and
our openldap instance to store user/group data. When we create a new
user a perl script copies the relevant data from AD via an authenticated
ldap bind since they do not support anonymous binds. For groups we just
maintain the ones within our ldap environment (AD groups are never
copied). For hosts we have a private network that we use nss_ldap to
look up hosts and then fall back to the university's DNS.
All of the documentation that I've been able to find on FreeIPA seem to
assume that the people setting up FreeIPA have full access to AD and can
modify the structure/security settings. This is not the case for us
since a different group handles it and due to the vastness of the
university they are reluctant to make any changes.
Is there any way to integrate FreeIPA into an environment such as ours
or am I going to have to continue with my homegrown way of doing things?
Digital Library Program
Freeipa-users mailing list