On Wed, 27 May 2015, Carlos Raúl Laguna wrote:
Hello Martin, Alexander

Seem that the time shift is large between us, If i understand correctly,
compat tree will allow me to see all users, regardless they location
Windows or FreeIPA, however the kolab-specific attribute must come from
FreeIPA and Windows AD where the users entries lays. This means creating
custom object classes and attributes for AD schema them update compat
plugin to see the custom attribute.

The second part where kolab needs to update some value in any of this
attribute, for example mailQuota it would be rejected and therefor it must
be done from Windows AD or FreeIPA, is this correct? Thanks both of you for
your time and input in this matter. Regards
Just to make you absolutely clear: using compat tree will not help you
at all. Nothing else in FreeIPA could help you in getting Kolab to work
with both IPA and AD users at the same time.

It would be nice if kolab could grow a capability to connect to multiple
LDAP servers at the same time, with non-overlapping user and group
trees. I don't think it is there now and I don't see other possibilities
here.


2015-05-27 4:46 GMT-04:00 Alexander Bokovoy <aboko...@redhat.com>:

On Wed, 27 May 2015, Martin Kosek wrote:

On 05/27/2015 10:08 AM, Alexander Bokovoy wrote:

On Wed, 27 May 2015, Martin Kosek wrote:

On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote:

Hello Martin,

The email deployment it is a groupware in this scenario Kolab, kolab
use
389 ad as main backend and it require some kolab ldap specific
attribute to
work properly, this is not a problem in fact is quite easy to use
freeipa
as kolab backend, so far so good but the romance only get this far.
Since
we also use Windows Ad with forest-trust not all user are present in
the
FreeIPA directory and there it is where my problem lays. Since not all
user
are in the same box it become difficult to implement one mail system
for
all users. Regards


As I said, we have compat tree that allows LDAP BIND authentication and
LDAP
identity (not enumeration) for both IPA users and AD users when realm
is in
place.

You can even update the configuration of the compat tree and add the
kolab
specific fields to be generated there too. There was very similar
request on
freeipa-users. It was for vSphere, but dealing with very similar use
case and
the final solution:

http://www.freeipa.org/page/HowTo/vsphere5_integration

Would that approach work for you?

I don't think it will work. compat tree is run-time read-only view of
the data coming from somewhere else. You need to have Kolab-specific
data available somewhere to be able to inject it in the compat tree.
Where would that data be stored for Kolab for AD-specific entries?


It would work as long as the attributes are in the "real" user entries in
form
of custom attributes and compat plugin can be updated to add those to
compat view.

What real user entries you are talking about for AD users?

 Additionally, Kolab wants to modify these custom attributes and compat
tree simply does not support modification, they all are refused.


If Kolab requires modifications, then this approach would not work with
current
FreeIPA implementation, yes.

No, we are not going into enabling modifications over compat tree, this
is simply impossible to achieve, sorry.
--
/ Alexander Bokovoy


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to