Hi Alexander, I understand that with Trust to AD, we can use AD for System of Records for the User Accounts.
We do want IPA to maintain the policies, but just want to use SunLDAP instead of 389 Directory Server for storing the policies. From Enterprise Architecture point of view, 389 Directory Server would be Yet Another Directory Server in our environment. It seems an overkill if we already have SunLDAP. Thanks, Saqib On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 15 Jun 2016, Saqib N Ali wrote: > >> Greetings, >> >> If we want to use the FreeIPA Active Directory Trust Integration Option, >> can we use an existing implementation of SunLDAP to store the Policies >> (e.g. sudo, hbac etc.) >> >> Essentially we don't to create another LDAP Directory just for storing the >> Policies. >> > FreeIPA cannot work with another LDAP Directory. It is integrated > solution that relies on the set of plugins in 389-ds directory, there > are about dozen specialized plugins that come with FreeIPA itself. > > Trust to Active Directory option is part of that setup and cannot be > done against another LDAP directory because it also relies on the > specific plugins to 389-ds that don't exist in your SunLDAP. > > If you deploy FreeIPA, you cannot have it 'just for storing the > policies'. It will be used for all kinds of objects. With trust to > Active Directory you may opt to not create native IPA users but then > these wouldn't be coming from your SunLDAP directory either, AD users > would be coming from AD. > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
