On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek <[email protected]> wrote:
> On 13.1.2014 15:50, Alexander Bokovoy wrote: > >> On Mon, 13 Jan 2014, tizo wrote: >> >>> Hi there, >>> >>> We have a working authentication system for GNU/Linux consisting in a Mit >>> Kerberos Server, and an OpenLDAP directory with a particular structure. I >>> was wondering if we could use Freeipa to administer those working >>> components as they are, without having to deploy a new Freeipa server >>> from >>> scratch. >>> >> In short, no, it is not possible. >> > > I would like to elaborate this a bit more: > You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos system, > but FreeIPA provides migrate-ds scripts which ease the transition from > OpenLDAP. > > Please see > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_ > Guide/Migrating_from_a_Directory_Server_to_IPA.html > > You need to migrate OpenLDAP data to one FreeIPA server and then you can > simply create FreeIPA server replicas as need. > > In other words, the migrate-ds script is run only once even if you have > multiple servers with replicated data. > > There are some limited capabilities for migration with user passwords, but > I will let other people to elaborate - this is not area of my expertise. > > Let us know if you need any assistance during migration. > > -- > Petr^2 Spacek > I had discarded the Freeipa option, as we couldn't use our OpenLDAP server and Kerberos as they were. Now, I am thinking that could be very useful for us (because of another reason), but I have a question about it. In short: can Freeipa internal LDAP server be used as any other LDAP server?. In detail: we have some Java applications that use authentication against our actual OpenLDAP server. The LDAP authentication is used in this case, with an overlay for password policies (as in http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies). The users that would use Freeipa are a subset from the users that use the Java applications. So, I would like that, at least at first, users from Java applications continue authenticating as they are doing now. I don't know if that can be done, and I have never worked with 389 directory service, so any help is appreciated.
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
