On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek <pspa...@redhat.com> wrote:
> On 13.1.2014 15:50, Alexander Bokovoy wrote:
>> On Mon, 13 Jan 2014, tizo wrote:
>>> Hi there,
>>> We have a working authentication system for GNU/Linux consisting in a Mit
>>> Kerberos Server, and an OpenLDAP directory with a particular structure. I
>>> was wondering if we could use Freeipa to administer those working
>>> components as they are, without having to deploy a new Freeipa server
>> In short, no, it is not possible.
> I would like to elaborate this a bit more:
> You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos system,
> but FreeIPA provides migrate-ds scripts which ease the transition from
> Please see
> You need to migrate OpenLDAP data to one FreeIPA server and then you can
> simply create FreeIPA server replicas as need.
> In other words, the migrate-ds script is run only once even if you have
> multiple servers with replicated data.
> There are some limited capabilities for migration with user passwords, but
> I will let other people to elaborate - this is not area of my expertise.
> Let us know if you need any assistance during migration.
> Petr^2 Spacek
I had discarded the Freeipa option, as we couldn't use our OpenLDAP server
and Kerberos as they were. Now, I am thinking that could be very useful for
us (because of another reason), but I have a question about it. In short:
can Freeipa internal LDAP server be used as any other LDAP server?.
In detail: we have some Java applications that use authentication against
our actual OpenLDAP server. The LDAP authentication is used in this case,
with an overlay for password policies (as in
users that would use Freeipa are a subset from the users that use the Java
applications. So, I would like that, at least at first, users from Java
applications continue authenticating as they are doing now. I don't know if
that can be done, and I have never worked with 389 directory service, so
any help is appreciated.
Freeipa-users mailing list