On Wed, Jul 22, 2015 at 06:45:17PM -0600, Matt Koch wrote: > Hello, > I’m looking for an example sssd.conf migrationconfiguration that will allow > for the user to seamlessly authenticate to LDAP or freeIPA prior to > installation of the freeipa client. > > This would be during migration to generate kerberos hashes for each > user while still providing legacy LDAP support until migration can be > completed. Hopefully with minimal changes to our existing sssd.conf file.
The configuration should be relatively straightforward, just use ldap for both id and auth provider and set the search base to cn=accounts,$DN, use your IPA server as LDAP URI and don't forget to set ldap_tls_cacert = /etc/ipa/ca.crt. But the bigger question is why? In order to set this hybrid mode, you need to migrate your LDAP server data to your IPA server, isn't it better to also enroll the client as an IPA client and let the user migrate on first login? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project