Great! Thanks very much Simo.
On Tue, May 27, 2014 at 3:02 PM, Simo Sorce <s...@redhat.com> wrote: > On Tue, 2014-05-27 at 14:24 -0300, tizo wrote: > > On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek <pspa...@redhat.com> wrote: > > > > > On 13.1.2014 15:50, Alexander Bokovoy wrote: > > > > > >> On Mon, 13 Jan 2014, tizo wrote: > > >> > > >>> Hi there, > > >>> > > >>> We have a working authentication system for GNU/Linux consisting in > a Mit > > >>> Kerberos Server, and an OpenLDAP directory with a particular > structure. I > > >>> was wondering if we could use Freeipa to administer those working > > >>> components as they are, without having to deploy a new Freeipa server > > >>> from > > >>> scratch. > > >>> > > >> In short, no, it is not possible. > > >> > > > > > > I would like to elaborate this a bit more: > > > You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos > system, > > > but FreeIPA provides migrate-ds scripts which ease the transition from > > > OpenLDAP. > > > > > > Please see > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_ > > > Guide/Migrating_from_a_Directory_Server_to_IPA.html > > > > > > You need to migrate OpenLDAP data to one FreeIPA server and then you > can > > > simply create FreeIPA server replicas as need. > > > > > > In other words, the migrate-ds script is run only once even if you have > > > multiple servers with replicated data. > > > > > > There are some limited capabilities for migration with user passwords, > but > > > I will let other people to elaborate - this is not area of my > expertise. > > > > > > Let us know if you need any assistance during migration. > > > > > > -- > > > Petr^2 Spacek > > > > > > > I had discarded the Freeipa option, as we couldn't use our OpenLDAP > server > > and Kerberos as they were. Now, I am thinking that could be very useful > for > > us (because of another reason), but I have a question about it. In short: > > can Freeipa internal LDAP server be used as any other LDAP server?. > > > > In detail: we have some Java applications that use authentication against > > our actual OpenLDAP server. The LDAP authentication is used in this case, > > with an overlay for password policies (as in > > http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies). > The > > users that would use Freeipa are a subset from the users that use the > Java > > applications. So, I would like that, at least at first, users from Java > > applications continue authenticating as they are doing now. I don't know > if > > that can be done, and I have never worked with 389 directory service, so > > any help is appreciated. > > FreeIPA uses a full LDAPv3 compliant LDAP server called 389ds: > http://port389.org > > It allows LDAP binds and extensions to schema just like any other fully > featured LDAP server. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > >
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users