On Wed, 2016-01-13 at 15:57 +0100, bahan w wrote: > Re. > > Thanks both of you for your answers. > > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the same > kind of service that we want from IPA, even if it is not embedded in > integrated solution like IPA. > > I totally agree that IPA provides a lot of things but I am quite sure the > isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and a > cache client like sssd or nscd/nslcd can work.
I know they *can* work, but there is no "migration" path there because they are not a solution, they are a bag of parts you need to manually configure and integrate on your own. > Alexander, when I mention migration, I think of the following actions : > 1. Take the principals that we have for the KDC and recreate them in an MIT > Kerberos KDC architecture If you know how to deploy openldap+MIT kdc you should know how to do this, if you do not you should ask yourself if you can support your plan, because you'll be on your own there. > 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an > openLDAP architecture This is also just a matter of playing with LDIFs (depending on how close or far the schema you'll chose for your custom soution is) and you should know how to do this if you are planning on your own custom setup. Again if you don't you should ask yourself how likely it is you'll be able to support yourself. > Do you know if there is other things necessary to recreate in the LDAP or > in the KDC ? Look at kdb5_ldap_util from MIT krb5. > Additionnaly, do you have a list of points which could help to convince to > keep the freeipa architecture ? The FreeIPA installer goes through a few hundred steps just to set up the system, and this does not take in accoount the integration plpugins we built, and the management features that will be completely missing in a bare openldap+mit system for things as simple as "allow a non-ldap expert to create a user, manage its passwords and groups", also Access control, delegation, etc... the feature list is huge. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project