Rob, is there a architecture document/diagram that describes how 389-ds in the FreeIPA w/ AD Trust setup?
On Thu, Jun 16, 2016 at 9:08 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Saqib N Ali wrote: > >> Hi Alexander, >> >> I understand that with Trust to AD, we can use AD for System of Records >> for the User Accounts. >> >> We do want IPA to maintain the policies, but just want to use SunLDAP >> instead of 389 Directory Server for storing the policies. From >> Enterprise Architecture point of view, 389 Directory Server would be Yet >> Another Directory Server in our environment. It seems an overkill if we >> already have SunLDAP. >> > > 389-ds is an integral part of IPA, it isn't just a data sink. > > rob > > Thanks, >> Saqib >> >> On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy <aboko...@redhat.com >> <mailto:aboko...@redhat.com>> wrote: >> >> On Wed, 15 Jun 2016, Saqib N Ali wrote: >> >> Greetings, >> >> If we want to use the FreeIPA Active Directory Trust Integration >> Option, >> can we use an existing implementation of SunLDAP to store the >> Policies >> (e.g. sudo, hbac etc.) >> >> Essentially we don't to create another LDAP Directory just for >> storing the >> Policies. >> >> FreeIPA cannot work with another LDAP Directory. It is integrated >> solution that relies on the set of plugins in 389-ds directory, there >> are about dozen specialized plugins that come with FreeIPA itself. >> >> Trust to Active Directory option is part of that setup and cannot be >> done against another LDAP directory because it also relies on the >> specific plugins to 389-ds that don't exist in your SunLDAP. >> >> If you deploy FreeIPA, you cannot have it 'just for storing the >> policies'. It will be used for all kinds of objects. With trust to >> Active Directory you may opt to not create native IPA users but then >> these wouldn't be coming from your SunLDAP directory either, AD users >> would be coming from AD. >> >> >> -- >> / Alexander Bokovoy >> >> >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project