On Mon, 2016-07-25 at 08:24 -0500, Alston, David wrote:
> Yes, I had been hoping there would be a way to incorporate domain
> trusts between Active Directory and FreeIPA while the clients relying
> on these for identity management shared the same DNS domain (eg.
> linux.company.com and windows.company.com). It sounds like that isn't
> going to happen.
These are two different domains, as long as linuc.company.com is used
only by freeIPA this configuration is already supported via trust
> Account replication seems like another way for Active Directory
> users to be able to login to servers to use the same username/password
> for logging in. It wouldn't have SSO, but at least a user would be
> able to use the same username/password everywhere. Replicating user
> accounts from an external AD/LDAP server seems to be built-in, at the
> moment. There aren't any plans to take that away, is there? Ideally,
> I'd want a two way sync so that password changes and user group
> changes are replicated back to AD as well.
winsync is not being further developed but we have no plans to take it
> --David Alston
> -----Original Message-----
> From: Simo Sorce [mailto:s...@redhat.com]
> Sent: Friday, July 22, 2016 10:49 AM
> To: Alston, David
> Cc: firstname.lastname@example.org
> Subject: Re: [Freeipa-users] Replicating users/groups from AD
> On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote:
> > Greetings!
> > I realize that FreeIPA is supposed to be setup as master of its
> > own domain, but are there any plans to continue the account
> > replication functionality that has already been in FreeIPA? I had
> > heard rumor that it would be possible to have FreeIPA and Active
> > Directory coexist in the same domain in some release in the future.
> > Am I waiting for a feature that will never come?
> Hi David,
> in order to respond to your question an idea of what are your expectations
> would is needed.
> If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they
> will never coexists.
> If by Domain you mean DNS Domain read then FreeIPA can work in the same
> domain as AD but only if you do not care for them interacting (at the
> kerberos level, no trusts, no SSO).
> You can basically have only one association between a DNS domain and a Realm,
> and a DNS domain is either going to be associated to the AD Domain server or
> to the IPA Domain.
> Synchronization, however is a completely unrelated topic, and I can't give
> you an answer on that side as I do not understand how it would
> relate to the coexistence of FreeIPA and AD in a single DNS domain.
> Simo Sorce * Red Hat, Inc * New York
Simo Sorce * Red Hat, Inc * New York
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project