On 20.9.2013 17:36, Dmitri Pal wrote:
On 09/18/2013 07:55 AM, Andrew Lau wrote:

On Wed, Sep 18, 2013 at 9:40 PM, Arturo Borrero <aborr...@cica.es
<mailto:aborr...@cica.es>> wrote:

     Hi there!

     This is my situation.

     I have some users of my main domain "cica.es <http://cica.es>".

     But I also maintain a database of users of others domain, ie
     "example.es <http://example.es>".

     I can apply most of FreeIPA configuration to "cica.es
     <http://cica.es>" users: access to hosts, groups, policies, roles,

     But users of "example.es <http://example.es>" are dummy users, who
     just have an LDAP account in order to use virtual mailboxes in

     Do anyone have any advice on how handle this situation?

     I see some options:
      * create a second FreeIPA server, each to handle his own domain.
      * get the main FreeIPA server to handle two complete different
     LDAP tree (with different root DNs, don't know if possible).
      * integrate "example.es <http://example.es>" users into specific
     groups, "prefix" or something each group and user.

     We are talking of about 2k users in total (main domain + secondary
     domain). In addition, there is the possibility to have more than
     two domains.

     How FreeIPA handles this multi-domain environment?

     Best regards.


If your second domain is just for LDAP (this is a little similar to
what I did). It's not a fluid as you end up limited to the two domains.. .

Keep the FreeIPA for hosting cica.es <http://cica.es/> to do your host
polices etc. Then on your virtual mailboxes two options we did was either:

- Change the default mail atribute in FreeIPA settings so a user would
have user.n...@example.es <mailto:user.n...@example.es> rather
than user.dom...@cica.es <mailto:user.dom...@cica.es> in their mail
attribute then have the LDAP config lookup that rather than username
- The other simple alternative is simply have LDAP search the username
and append @example.es <http://example.es/> or not at all.


Freeipa-users mailing list

I am not sure that the answer above is 100% relevant to what has been asked.
The question was "should I merge two domains or keep them separate, and
if I merger the users into IPA how should I do it to be able to
differentiate users from two different original sources".
At least this is how I interpreted the question.

I would say "it depends".
1) Are the users in two domains are same users? If yes then you should
follow advice above and merge.
2) If users are actually different users then I would keep the two
namespaces separate and not merge. If you merge you would be able to use
groups and prefixes and may be special attributes but would not be able
to put users into different sub trees. Well... you can... but the rest
of the IPA would not see them if you do it right or might be confused if
you do it wrong.

I would add one other point:
Try to be 'future-proof'. Are you 100% sure that you will never merge both sets of users? 'Never' is a long time ... (Remember that you will have to solve UID/GID/naming conflicts during the merge. It will be painful.)

What is the added value of two domains?

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to