Re: [Freeipa-users] FreeIPA deployment questions (Open Directory)

2012-02-15 Thread Brian Topping 
Hi Rob, thanks for your responses!

On Feb 15, 2012, at 12:16 AM, Rob Crittenden wrote:

 389-ds is our LDAP server so we generally support what it can do. AFAIK it 
 does not do replication with OD. What is it you want to replicate, what 
 direction, etc?

It seems like users and groups are going to need to be synchronized, but I 
don't really know. OD has 'apple-user' and 'apple-group' schemas which have 
zero mandatory attributes.  FreeIPA has ipaObject which has the ipaUniqueid 
mandatory attribute.  

This is the first time I'm trying these things with LDAP, but it seems that the 
if an object is created on FreeIPA, could it be replicated to OD?  apple-user 
and apple-group have no mandatory attributes, and once it is replicated to OD, 
an admin could run Workgroup Manager and use the migrate from legacy tool on 
the object to create the OD attributes.  

So I guess that means I am replicating from FreeIPA to OD, but once changes are 
made on OD, can I replicate back with the additional attributes that are added? 
 If not, changes that are made on FreeIPA would seem to overwrite the new 
attributes added in OD.  Or is there a common way to do this?

Is this a reasonable approach or am I overcomplicating things?

 I've never used the Apache studio but others have reported success. It is 
 probably just a matter of getting your basedn right (e.g. dc=example,dc=com) 
 and perhaps providing a bind user (cn=Directory Manager). Are you getting 
 specific error messages, that might help troubleshoot things.

Ok, for others who may follow, here's what worked for me on connecting with 
Apache DS:

1. Note that the Directory Manager dn is literally cn=Directory Manager, not 
cn=Directory Manager, dc=example, dc=com.  

2. If SSL is desired, be sure to remember to use port 636 instead of 389.  

This is probably covered in the docs, but alas.  :-)

Cheers, Brian

p.s. Rob, sorry I responded to you directly before, I didn't notice that this 
list uses reply-to of the sender and not the list.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA deployment questions (Open Directory)

2012-02-14 Thread Brian Topping 
I'm new to FreeIPA and have some questions.  I've searched the archives for 
similar articles and found 
https://www.redhat.com/archives/freeipa-users/2011-May/msg00040.html, but with 
some differences.  Please excuse my lack of knowledge, but hope that answers to 
these questions might help others through the archives.

*** I saw the announcement that 2.1.4 from the updates-testing repo is 
strongly advised.  In the previous message, I saw that deploying a production 
server on Fedora was a bad idea.  2.1.3 is the last version available on the 
CentOS repos.  Is that one reasonable to use?  Are there any gotchas that I 
should know about like disabling selinux?  Is 2.1.3 usable while waiting for 
2.1.4 to hit the CentOS repos?

*** AD synchronization is under active development, but I'm wanting to work 
with Open Directory.  The last references I've seen to it on the user list was 
with 1.x.  I've seen the opaque objects in the OD schema, realize the OD schema 
is rather fluid and understand that maintaining an integration like that may 
not be productive for such a small audience.  On the other hand, are there 
configurations with limited replication or referrals that might provide basic 
interoperability?  I haven't been too successful with getting Apache Directory 
Studio connected to FreeIPA so I can browse around, but does anyone have some 
insights they could share on this?  Anyone have FreeIPA working at any level 
with OpenDirectory that they could share insights about?

Thank you kindly for any insights that you might be able to share!

Brian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users