Thanks for the clarifications, one more question, does FreeIPA support partial or fractional replications? Regards
2015-05-28 0:25 GMT-04:00 Alexander Bokovoy <[email protected]>: > On Wed, 27 May 2015, Carlos Raúl Laguna wrote: > >> Hello Martin, Alexander >> >> Seem that the time shift is large between us, If i understand correctly, >> compat tree will allow me to see all users, regardless they location >> Windows or FreeIPA, however the kolab-specific attribute must come from >> FreeIPA and Windows AD where the users entries lays. This means creating >> custom object classes and attributes for AD schema them update compat >> plugin to see the custom attribute. >> >> The second part where kolab needs to update some value in any of this >> attribute, for example mailQuota it would be rejected and therefor it must >> be done from Windows AD or FreeIPA, is this correct? Thanks both of you >> for >> your time and input in this matter. Regards >> > Just to make you absolutely clear: using compat tree will not help you > at all. Nothing else in FreeIPA could help you in getting Kolab to work > with both IPA and AD users at the same time. > > It would be nice if kolab could grow a capability to connect to multiple > LDAP servers at the same time, with non-overlapping user and group > trees. I don't think it is there now and I don't see other possibilities > here. > > > >> 2015-05-27 4:46 GMT-04:00 Alexander Bokovoy <[email protected]>: >> >> On Wed, 27 May 2015, Martin Kosek wrote: >>> >>> On 05/27/2015 10:08 AM, Alexander Bokovoy wrote: >>>> >>>> On Wed, 27 May 2015, Martin Kosek wrote: >>>>> >>>>> On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote: >>>>>> >>>>>> Hello Martin, >>>>>>> >>>>>>> The email deployment it is a groupware in this scenario Kolab, kolab >>>>>>> use >>>>>>> 389 ad as main backend and it require some kolab ldap specific >>>>>>> attribute to >>>>>>> work properly, this is not a problem in fact is quite easy to use >>>>>>> freeipa >>>>>>> as kolab backend, so far so good but the romance only get this far. >>>>>>> Since >>>>>>> we also use Windows Ad with forest-trust not all user are present in >>>>>>> the >>>>>>> FreeIPA directory and there it is where my problem lays. Since not >>>>>>> all >>>>>>> user >>>>>>> are in the same box it become difficult to implement one mail system >>>>>>> for >>>>>>> all users. Regards >>>>>>> >>>>>>> >>>>>> As I said, we have compat tree that allows LDAP BIND authentication >>>>>> and >>>>>> LDAP >>>>>> identity (not enumeration) for both IPA users and AD users when realm >>>>>> is in >>>>>> place. >>>>>> >>>>>> You can even update the configuration of the compat tree and add the >>>>>> kolab >>>>>> specific fields to be generated there too. There was very similar >>>>>> request on >>>>>> freeipa-users. It was for vSphere, but dealing with very similar use >>>>>> case and >>>>>> the final solution: >>>>>> >>>>>> http://www.freeipa.org/page/HowTo/vsphere5_integration >>>>>> >>>>>> Would that approach work for you? >>>>>> >>>>>> I don't think it will work. compat tree is run-time read-only view of >>>>> the data coming from somewhere else. You need to have Kolab-specific >>>>> data available somewhere to be able to inject it in the compat tree. >>>>> Where would that data be stored for Kolab for AD-specific entries? >>>>> >>>>> >>>> It would work as long as the attributes are in the "real" user entries >>>> in >>>> form >>>> of custom attributes and compat plugin can be updated to add those to >>>> compat view. >>>> >>>> What real user entries you are talking about for AD users? >>> >>> Additionally, Kolab wants to modify these custom attributes and compat >>> >>>> tree simply does not support modification, they all are refused. >>>>> >>>>> >>>> If Kolab requires modifications, then this approach would not work with >>>> current >>>> FreeIPA implementation, yes. >>>> >>>> No, we are not going into enabling modifications over compat tree, this >>> is simply impossible to achieve, sorry. >>> -- >>> / Alexander Bokovoy >>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
