This would be the best option!

But customer won't allow this :( Since the openLDAP is also used by other apps.

So I need to sync them. Which means:
- adding the new users (not so difficult)
- removing old user (perhaps not too complicated)
- replicating changes like a password update (for this one, I'm completely clueless).

any idea?

*Michaël Van de Borne*
Free Bird Computing SPRL - Gérant
104 rue d'Azebois, 6230 Thiméon
*Tel:* +32(0)472 695716
*Skype:* mikemowgli
*TVA:* BE0637.834.386
Linkedin profile <>

Le 31-01-17 à 16:34, Martin Basti a écrit :

Is there a possibility to migrate OpenLDAP to IPA DS and use only one source of Identity data?


On 31.01.2017 16:30, Michaël Van de Borne wrote:
mmmmh, ok, thank you.

But indeed, I would need HBAC and sudo rules in the future.
So I believe the only exit here is to keep openLDAP and FreeIPA in sync.
Any clue on how to do this efficiently?

Thank you,



Le 31-01-17 à 16:23, Alexander Bokovoy a écrit :
On ti, 31 tammi 2017, Michaël Van de Borne wrote:
Hello list,

Here's my situation:
I'm installing Hadoop for a customer, and the Hadoop cluster is secured with Kerberos. I used FreeIPA as a KDC.
The customer uses openLDAP as a directory server.

For now, our solution is to copy the whole openLDAP user base to FreeIPA, and then use FreeIPA for the identification and authorization (all the keytab stuff).
you mean authentication, not authorization here.

But keeping openLDAP and FreeIPA in sync is a nightmare, and I was wondering something: Would it be possible to configure SSSD to simultaneously target the openLDAP server to identify a user, and the FreeIPA server to get the tickets?
Here is the thing: yes, you can do that by configuring explicitly
identity and authentication providers in sssd.conf. Set identity
provider to ldap and authentication provider to krb5, add necessary
configuration parameters and that would work. No HBAC, no SUDO rules,
etc, but that's what you want, it seems.

Look at sssd-ldap and sssd-krb5 manual pages.

When you configure identity provider to IPA or AD in sssd.conf, you are
just setting defaults for all other providers to the defaults of IPA or
AD provider. If you use a different identity provider, you'd need to
define proper authentication.

That way, we can avoid having to keep openLDAP and FreeIPA in sync...


Is there an efficient way to keep openLDAP and FreeIPA in sync?

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to