Saqib N Ali wrote:
Rob, is there a architecture document/diagram that describes how 389-ds
in the FreeIPA w/ AD Trust setup?

You'll find a number of pages on freeipa.org.

rob


On Thu, Jun 16, 2016 at 9:08 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Saqib N Ali wrote:

        Hi Alexander,

        I understand that with Trust to AD, we can use AD for System of
        Records
        for the User Accounts.

        We do want IPA to maintain the policies, but just want to use
        SunLDAP
        instead of 389 Directory Server for storing the policies. From
        Enterprise Architecture point of view, 389 Directory Server
        would be Yet
        Another Directory Server in our environment. It seems an
        overkill if we
        already have SunLDAP.


    389-ds is an integral part of IPA, it isn't just a data sink.

    rob

        Thanks,
        Saqib

        On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy
        <aboko...@redhat.com <mailto:aboko...@redhat.com>
        <mailto:aboko...@redhat.com <mailto:aboko...@redhat.com>>> wrote:

             On Wed, 15 Jun 2016, Saqib N Ali wrote:

                 Greetings,

                 If we want to use the FreeIPA Active Directory Trust
        Integration
                 Option,
                 can we use an existing implementation of SunLDAP to
        store the
                 Policies
                 (e.g. sudo, hbac etc.)

                 Essentially we don't to create another LDAP Directory
        just for
                 storing the
                 Policies.

             FreeIPA cannot work with another LDAP Directory. It is
        integrated
             solution that relies on the set of plugins in 389-ds
        directory, there
             are about dozen specialized plugins that come with FreeIPA
        itself.

             Trust to Active Directory option is part of that setup and
        cannot be
             done against another LDAP directory because it also relies
        on the
             specific plugins to 389-ds that don't exist in your SunLDAP.

             If you deploy FreeIPA, you cannot have it 'just for storing the
             policies'. It will be used for all kinds of objects. With
        trust to
             Active Directory you may opt to not create native IPA users
        but then
             these wouldn't be coming from your SunLDAP directory
        either, AD users
             would be coming from AD.


             --
             / Alexander Bokovoy







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to