On Wed, Jul 22, 2015 at 06:45:17PM -0600, Matt Koch wrote:
> Hello,
> I’m looking for an example sssd.conf migrationconfiguration that will allow 
> for the user to seamlessly authenticate to LDAP or freeIPA prior to 
> installation of the freeipa client. 
> This would be during migration to generate kerberos hashes for each
> user while still providing legacy LDAP support until migration can be
> completed. Hopefully with minimal changes to our existing sssd.conf file.

The configuration should be relatively straightforward, just use ldap
for both id and auth provider and set the search base to
cn=accounts,$DN, use your IPA server as LDAP URI and don't forget to set
ldap_tls_cacert = /etc/ipa/ca.crt.

But the bigger question is why? In order to set this hybrid mode, you
need to migrate your LDAP server data to your IPA server, isn't it
better to also enroll the client as an IPA client and let the user
migrate on first login?

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to