I'm a sysadmin at a smallish department at my university. We're investigating FreeIPA to replace our homegrown openldap/perl script user management stuff. The difficulty we're facing is that university has standardized on Active Directory and they've got it pretty well locked down. We currently use the university's kerberos for authentication and our openldap instance to store user/group data. When we create a new user a perl script copies the relevant data from AD via an authenticated ldap bind since they do not support anonymous binds. For groups we just maintain the ones within our ldap environment (AD groups are never copied). For hosts we have a private network that we use nss_ldap to look up hosts and then fall back to the university's DNS.

All of the documentation that I've been able to find on FreeIPA seem to assume that the people setting up FreeIPA have full access to AD and can modify the structure/security settings. This is not the case for us since a different group handles it and due to the vastness of the university they are reluctant to make any changes.

Is there any way to integrate FreeIPA into an environment such as ours or am I going to have to continue with my homegrown way of doing things?


Brian Wheeler
System Administrator
Digital Library Program
Indiana University

Freeipa-users mailing list

Reply via email to