On Tue, 2014-05-27 at 14:24 -0300, tizo wrote: > On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek <pspa...@redhat.com> wrote: > > > On 13.1.2014 15:50, Alexander Bokovoy wrote: > > > >> On Mon, 13 Jan 2014, tizo wrote: > >> > >>> Hi there, > >>> > >>> We have a working authentication system for GNU/Linux consisting in a Mit > >>> Kerberos Server, and an OpenLDAP directory with a particular structure. I > >>> was wondering if we could use Freeipa to administer those working > >>> components as they are, without having to deploy a new Freeipa server > >>> from > >>> scratch. > >>> > >> In short, no, it is not possible. > >> > > > > I would like to elaborate this a bit more: > > You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos system, > > but FreeIPA provides migrate-ds scripts which ease the transition from > > OpenLDAP. > > > > Please see > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_ > > Guide/Migrating_from_a_Directory_Server_to_IPA.html > > > > You need to migrate OpenLDAP data to one FreeIPA server and then you can > > simply create FreeIPA server replicas as need. > > > > In other words, the migrate-ds script is run only once even if you have > > multiple servers with replicated data. > > > > There are some limited capabilities for migration with user passwords, but > > I will let other people to elaborate - this is not area of my expertise. > > > > Let us know if you need any assistance during migration. > > > > -- > > Petr^2 Spacek > > > > I had discarded the Freeipa option, as we couldn't use our OpenLDAP server > and Kerberos as they were. Now, I am thinking that could be very useful for > us (because of another reason), but I have a question about it. In short: > can Freeipa internal LDAP server be used as any other LDAP server?. > > In detail: we have some Java applications that use authentication against > our actual OpenLDAP server. The LDAP authentication is used in this case, > with an overlay for password policies (as in > http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies). The > users that would use Freeipa are a subset from the users that use the Java > applications. So, I would like that, at least at first, users from Java > applications continue authenticating as they are doing now. I don't know if > that can be done, and I have never worked with 389 directory service, so > any help is appreciated.
FreeIPA uses a full LDAPv3 compliant LDAP server called 389ds: http://port389.org It allows LDAP binds and extensions to schema just like any other fully featured LDAP server. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users