Thanks for the clarifications, one more question, does FreeIPA support
partial or fractional replications? Regards

2015-05-28 0:25 GMT-04:00 Alexander Bokovoy <>:

> On Wed, 27 May 2015, Carlos Raúl Laguna wrote:
>> Hello Martin, Alexander
>> Seem that the time shift is large between us, If i understand correctly,
>> compat tree will allow me to see all users, regardless they location
>> Windows or FreeIPA, however the kolab-specific attribute must come from
>> FreeIPA and Windows AD where the users entries lays. This means creating
>> custom object classes and attributes for AD schema them update compat
>> plugin to see the custom attribute.
>> The second part where kolab needs to update some value in any of this
>> attribute, for example mailQuota it would be rejected and therefor it must
>> be done from Windows AD or FreeIPA, is this correct? Thanks both of you
>> for
>> your time and input in this matter. Regards
> Just to make you absolutely clear: using compat tree will not help you
> at all. Nothing else in FreeIPA could help you in getting Kolab to work
> with both IPA and AD users at the same time.
> It would be nice if kolab could grow a capability to connect to multiple
> LDAP servers at the same time, with non-overlapping user and group
> trees. I don't think it is there now and I don't see other possibilities
> here.
>> 2015-05-27 4:46 GMT-04:00 Alexander Bokovoy <>:
>>  On Wed, 27 May 2015, Martin Kosek wrote:
>>>  On 05/27/2015 10:08 AM, Alexander Bokovoy wrote:
>>>>  On Wed, 27 May 2015, Martin Kosek wrote:
>>>>>  On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote:
>>>>>>  Hello Martin,
>>>>>>> The email deployment it is a groupware in this scenario Kolab, kolab
>>>>>>> use
>>>>>>> 389 ad as main backend and it require some kolab ldap specific
>>>>>>> attribute to
>>>>>>> work properly, this is not a problem in fact is quite easy to use
>>>>>>> freeipa
>>>>>>> as kolab backend, so far so good but the romance only get this far.
>>>>>>> Since
>>>>>>> we also use Windows Ad with forest-trust not all user are present in
>>>>>>> the
>>>>>>> FreeIPA directory and there it is where my problem lays. Since not
>>>>>>> all
>>>>>>> user
>>>>>>> are in the same box it become difficult to implement one mail system
>>>>>>> for
>>>>>>> all users. Regards
>>>>>> As I said, we have compat tree that allows LDAP BIND authentication
>>>>>> and
>>>>>> LDAP
>>>>>> identity (not enumeration) for both IPA users and AD users when realm
>>>>>> is in
>>>>>> place.
>>>>>> You can even update the configuration of the compat tree and add the
>>>>>> kolab
>>>>>> specific fields to be generated there too. There was very similar
>>>>>> request on
>>>>>> freeipa-users. It was for vSphere, but dealing with very similar use
>>>>>> case and
>>>>>> the final solution:
>>>>>> Would that approach work for you?
>>>>>>  I don't think it will work. compat tree is run-time read-only view of
>>>>> the data coming from somewhere else. You need to have Kolab-specific
>>>>> data available somewhere to be able to inject it in the compat tree.
>>>>> Where would that data be stored for Kolab for AD-specific entries?
>>>> It would work as long as the attributes are in the "real" user entries
>>>> in
>>>> form
>>>> of custom attributes and compat plugin can be updated to add those to
>>>> compat view.
>>>>  What real user entries you are talking about for AD users?
>>>  Additionally, Kolab wants to modify these custom attributes and compat
>>>> tree simply does not support modification, they all are refused.
>>>> If Kolab requires modifications, then this approach would not work with
>>>> current
>>>> FreeIPA implementation, yes.
>>>>  No, we are not going into enabling modifications over compat tree, this
>>> is simply impossible to achieve, sorry.
>>> --
>>> / Alexander Bokovoy
>  --
>> Manage your subscription for the Freeipa-users mailing list:
>> Go to for more info on the project
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to