Greetings! I understand now that attempts to replicate user accounts from AD into FreeIPA isn't going to be getting any updates any time soon because the library being used to sync is basically defunct.
I'll start a new thread with my question about FreeIPA Kerberos realm trusting an AD Kerberos realm while on the same DNS domain. I've come across some new information that I'd like to check with ya'll. Thanks, everyone, for your answers! --David Alston -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Alston, David Sent: Monday, July 25, 2016 8:24 AM To: Simo Sorce Cc: firstname.lastname@example.org Subject: Re: [Freeipa-users] Replicating users/groups from AD Greetings! Yes, I had been hoping there would be a way to incorporate domain trusts between Active Directory and FreeIPA while the clients relying on these for identity management shared the same DNS domain (eg. linux.company.com and windows.company.com). It sounds like that isn't going to happen. Account replication seems like another way for Active Directory users to be able to login to servers to use the same username/password for logging in. It wouldn't have SSO, but at least a user would be able to use the same username/password everywhere. Replicating user accounts from an external AD/LDAP server seems to be built-in, at the moment. There aren't any plans to take that away, is there? Ideally, I'd want a two way sync so that password changes and user group changes are replicated back to AD as well. --David Alston -----Original Message----- From: Simo Sorce [mailto:s...@redhat.com] Sent: Friday, July 22, 2016 10:49 AM To: Alston, David Cc: email@example.com Subject: Re: [Freeipa-users] Replicating users/groups from AD On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote: > Greetings! > > I realize that FreeIPA is supposed to be setup as master of its > own domain, but are there any plans to continue the account > replication functionality that has already been in FreeIPA? I had > heard rumor that it would be possible to have FreeIPA and Active > Directory coexist in the same domain in some release in the future. > Am I waiting for a feature that will never come? Hi David, in order to respond to your question an idea of what are your expectations would is needed. If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they will never coexists. If by Domain you mean DNS Domain read then FreeIPA can work in the same domain as AD but only if you do not care for them interacting (at the kerberos level, no trusts, no SSO). You can basically have only one association between a DNS domain and a Realm, and a DNS domain is either going to be associated to the AD Domain server or to the IPA Domain. Synchronization, however is a completely unrelated topic, and I can't give you an answer on that side as I do not understand how it would relate to the coexistence of FreeIPA and AD in a single DNS domain. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project