Saqib N Ali wrote:
Rob, is there a architecture document/diagram that describes how 389-ds
in the FreeIPA w/ AD Trust setup?

You'll find a number of pages on


On Thu, Jun 16, 2016 at 9:08 AM, Rob Crittenden <
<>> wrote:

    Saqib N Ali wrote:

        Hi Alexander,

        I understand that with Trust to AD, we can use AD for System of
        for the User Accounts.

        We do want IPA to maintain the policies, but just want to use
        instead of 389 Directory Server for storing the policies. From
        Enterprise Architecture point of view, 389 Directory Server
        would be Yet
        Another Directory Server in our environment. It seems an
        overkill if we
        already have SunLDAP.

    389-ds is an integral part of IPA, it isn't just a data sink.



        On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy
        < <>
        < <>>> wrote:

             On Wed, 15 Jun 2016, Saqib N Ali wrote:


                 If we want to use the FreeIPA Active Directory Trust
                 can we use an existing implementation of SunLDAP to
        store the
                 (e.g. sudo, hbac etc.)

                 Essentially we don't to create another LDAP Directory
        just for
                 storing the

             FreeIPA cannot work with another LDAP Directory. It is
             solution that relies on the set of plugins in 389-ds
        directory, there
             are about dozen specialized plugins that come with FreeIPA

             Trust to Active Directory option is part of that setup and
        cannot be
             done against another LDAP directory because it also relies
        on the
             specific plugins to 389-ds that don't exist in your SunLDAP.

             If you deploy FreeIPA, you cannot have it 'just for storing the
             policies'. It will be used for all kinds of objects. With
        trust to
             Active Directory you may opt to not create native IPA users
        but then
             these wouldn't be coming from your SunLDAP directory
        either, AD users
             would be coming from AD.

             / Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to