Only a very basic "fractional replication" - you can remove selected attributes from replicating. It is possible even now and can be configured on each replication agreement:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/managing-fractional-repl.html

In FreeIPA 4.2, it should be possible to set that centrally:
https://fedorahosted.org/freeipa/ticket/4302

Martin

On 05/28/2015 09:02 PM, Carlos Raúl Laguna wrote:
Thanks for the clarifications, one more question, does FreeIPA support partial
or fractional replications? Regards

2015-05-28 0:25 GMT-04:00 Alexander Bokovoy <aboko...@redhat.com
<mailto:aboko...@redhat.com>>:

    On Wed, 27 May 2015, Carlos Raúl Laguna wrote:

        Hello Martin, Alexander

        Seem that the time shift is large between us, If i understand correctly,
        compat tree will allow me to see all users, regardless they location
        Windows or FreeIPA, however the kolab-specific attribute must come from
        FreeIPA and Windows AD where the users entries lays. This means creating
        custom object classes and attributes for AD schema them update compat
        plugin to see the custom attribute.

        The second part where kolab needs to update some value in any of this
        attribute, for example mailQuota it would be rejected and therefor it 
must
        be done from Windows AD or FreeIPA, is this correct? Thanks both of you 
for
        your time and input in this matter. Regards

    Just to make you absolutely clear: using compat tree will not help you
    at all. Nothing else in FreeIPA could help you in getting Kolab to work
    with both IPA and AD users at the same time.

    It would be nice if kolab could grow a capability to connect to multiple
    LDAP servers at the same time, with non-overlapping user and group
    trees. I don't think it is there now and I don't see other possibilities
    here.



        2015-05-27 4:46 GMT-04:00 Alexander Bokovoy <aboko...@redhat.com
        <mailto:aboko...@redhat.com>>:

            On Wed, 27 May 2015, Martin Kosek wrote:

                On 05/27/2015 10:08 AM, Alexander Bokovoy wrote:

                    On Wed, 27 May 2015, Martin Kosek wrote:

                        On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote:

                            Hello Martin,

                            The email deployment it is a groupware in this
                            scenario Kolab, kolab
                            use
                            389 ad as main backend and it require some kolab
                            ldap specific
                            attribute to
                            work properly, this is not a problem in fact is
                            quite easy to use
                            freeipa
                            as kolab backend, so far so good but the romance
                            only get this far.
                            Since
                            we also use Windows Ad with forest-trust not all
                            user are present in
                            the
                            FreeIPA directory and there it is where my problem
                            lays. Since not all
                            user
                            are in the same box it become difficult to
                            implement one mail system
                            for
                            all users. Regards


                        As I said, we have compat tree that allows LDAP BIND
                        authentication and
                        LDAP
                        identity (not enumeration) for both IPA users and AD
                        users when realm
                        is in
                        place.

                        You can even update the configuration of the compat
                        tree and add the
                        kolab
                        specific fields to be generated there too. There was
                        very similar
                        request on
                        freeipa-users. It was for vSphere, but dealing with
                        very similar use
                        case and
                        the final solution:

                        http://www.freeipa.org/page/HowTo/vsphere5_integration

                        Would that approach work for you?

                    I don't think it will work. compat tree is run-time
                    read-only view of
                    the data coming from somewhere else. You need to have
                    Kolab-specific
                    data available somewhere to be able to inject it in the
                    compat tree.
                    Where would that data be stored for Kolab for AD-specific
                    entries?


                It would work as long as the attributes are in the "real" user
                entries in
                form
                of custom attributes and compat plugin can be updated to add
                those to
                compat view.

            What real user entries you are talking about for AD users?

              Additionally, Kolab wants to modify these custom attributes and
            compat

                    tree simply does not support modification, they all are
                    refused.


                If Kolab requires modifications, then this approach would not
                work with
                current
                FreeIPA implementation, yes.

            No, we are not going into enabling modifications over compat tree, 
this
            is simply impossible to achieve, sorry.
            --
            / Alexander Bokovoy


        --
        Manage your subscription for the Freeipa-users mailing list:
        https://www.redhat.com/mailman/listinfo/freeipa-users
        Go to http://freeipa.org for more info on the project



    --
    / Alexander Bokovoy





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to