Thank both of you again for your answers, guys.
Simo, I would be very interested in this feature list in fact.
Do you know if there is a way to find it ?
I would really need it, it would help a lot.
On Wed, Jan 13, 2016 at 4:11 PM, Martin Kosek <mko...@redhat.com> wrote:
> On 01/13/2016 03:57 PM, bahan w wrote:
> > Re.
> > Thanks both of you for your answers.
> > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the
> > kind of service that we want from IPA, even if it is not embedded in
> > integrated solution like IPA.
> > I totally agree that IPA provides a lot of things but I am quite sure the
> > isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and
> > cache client like sssd or nscd/nslcd can work.
> It "can" work. But home grown solutions like that require non-trivial
> effort to
> even get started.
> As soon as you have more requests on such home grown infrastructure, you
> need to implement enhancements (like something cert or DNS related). At
> moment, you may realize you are re-implementing what FreeIPA may support
> already. FreeIPA project was started for a reason :-)
> > Alexander, when I mention migration, I think of the following actions :
> > 1. Take the principals that we have for the KDC and recreate them in an
> > Kerberos KDC architecture
> > 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an
> > openLDAP architecture
> > Do you know if there is other things necessary to recreate in the LDAP or
> > in the KDC ?
> > Additionnaly, do you have a list of points which could help to convince
> > keep the freeipa architecture ?
> > Best regards.
> > Bahan
> > On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy <aboko...@redhat.com>
> > wrote:
> >> On Wed, 13 Jan 2016, bahan w wrote:
> >>> Hello Simo !
> >>> For the reason :
> >>> The production team wants to use only the two components openLDAP and
> >>> Kerberos, possibily on different servers.
> >>> For the explanation :
> >>> They want to install only MIT Kerberos and openLDAP.
> >>> We already have an existing FreeIPA installation, with users, groups,
> >>> principals, pwpolicies.
> >>> We would like to migrate this to an openLDAP for the users, groups and
> >>> pwpolicies, and to another MIT Kerberos for the principals (hope I'm
> >>> forgetting anything).
> >> FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA
> >> LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA
> >> schema.
> >> Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two
> >> dozen additional plugins. These plugins either don't exist for OpenLDAP
> >> at all or have different behavior and rely on different LDAP schema.
> >> In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be
> >> used by MIT Kerberos LDAP driver because it doesn't know about that
> >> data, and OpenLDAP server will not have the same behavior as expected by
> >> IPA clients (SSSD) for IPA-specific mode.
> >> Whatever your production team is thinking about this move, it is most
> >> certainly not properly thought out.
> >> --
> >> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project