On Wed, Sep 18, 2013 at 9:40 PM, Arturo Borrero <aborr...@cica.es> wrote:

> Hi there!
> This is my situation.
> I have some users of my main domain "cica.es".
> But I also maintain a database of users of others domain, ie "example.es".
> I can apply most of FreeIPA configuration to "cica.es" users: access to
> hosts, groups, policies, roles, etc..
> But users of "example.es" are dummy users, who just have an LDAP account
> in order to use virtual mailboxes in Postfix/Dovecot.
> Do anyone have any advice on how handle this situation?
> I see some options:
>  * create a second FreeIPA server, each to handle his own domain.
>  * get the main FreeIPA server to handle two complete different LDAP tree
> (with different root DNs, don't know if possible).
>  * integrate "example.es" users into specific groups, "prefix" or
> something each group and user.
> We are talking of about 2k users in total (main domain + secondary
> domain). In addition, there is the possibility to have more than two
> domains.
> How FreeIPA handles this multi-domain environment?
> Best regards.
> --

If your second domain is just for LDAP (this is a little similar to what I
did). It's not a fluid as you end up limited to the two domains.. .

Keep the FreeIPA for hosting cica.es to do your host polices etc. Then on
your virtual mailboxes two options we did was either:

- Change the default mail atribute in FreeIPA settings so a user would have
user.n...@example.es rather than user.dom...@cica.es in their mail
attribute then have the LDAP config lookup that rather than username
- The other simple alternative is simply have LDAP search the username and
append @example.es or not at all.

Freeipa-users mailing list

Reply via email to