Saqib N Ali wrote:
Hi Alexander,

I understand that with Trust to AD, we can use AD for System of Records
for the User Accounts.

We do want IPA to maintain the policies, but just want to use SunLDAP
instead of 389 Directory Server for storing the policies. From
Enterprise Architecture point of view, 389 Directory Server would be Yet
Another Directory Server in our environment. It seems an overkill if we
already have SunLDAP.

389-ds is an integral part of IPA, it isn't just a data sink.



On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy <
<>> wrote:

    On Wed, 15 Jun 2016, Saqib N Ali wrote:


        If we want to use the FreeIPA Active Directory Trust Integration
        can we use an existing implementation of SunLDAP to store the
        (e.g. sudo, hbac etc.)

        Essentially we don't to create another LDAP Directory just for
        storing the

    FreeIPA cannot work with another LDAP Directory. It is integrated
    solution that relies on the set of plugins in 389-ds directory, there
    are about dozen specialized plugins that come with FreeIPA itself.

    Trust to Active Directory option is part of that setup and cannot be
    done against another LDAP directory because it also relies on the
    specific plugins to 389-ds that don't exist in your SunLDAP.

    If you deploy FreeIPA, you cannot have it 'just for storing the
    policies'. It will be used for all kinds of objects. With trust to
    Active Directory you may opt to not create native IPA users but then
    these wouldn't be coming from your SunLDAP directory either, AD users
    would be coming from AD.

    / Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to