On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek <pspa...@redhat.com> wrote:

> On 13.1.2014 15:50, Alexander Bokovoy wrote:
>> On Mon, 13 Jan 2014, tizo wrote:
>>> Hi there,
>>> We have a working authentication system for GNU/Linux consisting in a Mit
>>> Kerberos Server, and an OpenLDAP directory with a particular structure. I
>>> was wondering if we could use Freeipa to administer those working
>>> components as they are, without having to deploy a new Freeipa server
>>> from
>>> scratch.
>> In short, no, it is not possible.
> I would like to elaborate this a bit more:
> You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos system,
> but FreeIPA provides migrate-ds scripts which ease the transition from
> OpenLDAP.
> Please see
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_
> Guide/Migrating_from_a_Directory_Server_to_IPA.html
> You need to migrate OpenLDAP data to one FreeIPA server and then you can
> simply create FreeIPA server replicas as need.
> In other words, the migrate-ds script is run only once even if you have
> multiple servers with replicated data.
> There are some limited capabilities for migration with user passwords, but
> I will let other people to elaborate - this is not area of my expertise.
> Let us know if you need any assistance during migration.
> --
> Petr^2 Spacek

I had discarded the Freeipa option, as we couldn't use our OpenLDAP server
and Kerberos as they were. Now, I am thinking that could be very useful for
us (because of another reason), but I have a question about it. In short:
can Freeipa internal LDAP server be used as any other LDAP server?.

In detail: we have some Java applications that use authentication against
our actual OpenLDAP server. The LDAP authentication is used in this case,
with an overlay for password policies (as in
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies). The
users that would use Freeipa are a subset from the users that use the Java
applications. So, I would like that, at least at first, users from Java
applications continue authenticating as they are doing now. I don't know if
that can be done, and I have never worked with 389 directory service, so
any help is appreciated.
Freeipa-users mailing list

Reply via email to