Re ! Thank both of you again for your answers, guys.
Simo, I would be very interested in this feature list in fact. Do you know if there is a way to find it ? I would really need it, it would help a lot. Best regards. Bahan On Wed, Jan 13, 2016 at 4:11 PM, Martin Kosek <mko...@redhat.com> wrote: > On 01/13/2016 03:57 PM, bahan w wrote: > > Re. > > > > Thanks both of you for your answers. > > > > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the > same > > kind of service that we want from IPA, even if it is not embedded in > > integrated solution like IPA. > > > > I totally agree that IPA provides a lot of things but I am quite sure the > > isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and > a > > cache client like sssd or nscd/nslcd can work. > > It "can" work. But home grown solutions like that require non-trivial > effort to > even get started. > > As soon as you have more requests on such home grown infrastructure, you > will > need to implement enhancements (like something cert or DNS related). At > that > moment, you may realize you are re-implementing what FreeIPA may support > already. FreeIPA project was started for a reason :-) > > > Alexander, when I mention migration, I think of the following actions : > > 1. Take the principals that we have for the KDC and recreate them in an > MIT > > Kerberos KDC architecture > > 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an > > openLDAP architecture > > > > Do you know if there is other things necessary to recreate in the LDAP or > > in the KDC ? > > > > Additionnaly, do you have a list of points which could help to convince > to > > keep the freeipa architecture ? > > > > Best regards. > > > > Bahan > > > > On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy <aboko...@redhat.com> > > wrote: > > > >> On Wed, 13 Jan 2016, bahan w wrote: > >> > >>> Hello Simo ! > >>> > >>> For the reason : > >>> The production team wants to use only the two components openLDAP and > MIT > >>> Kerberos, possibily on different servers. > >>> > >>> For the explanation : > >>> They want to install only MIT Kerberos and openLDAP. > >>> We already have an existing FreeIPA installation, with users, groups, > >>> principals, pwpolicies. > >>> We would like to migrate this to an openLDAP for the users, groups and > >>> pwpolicies, and to another MIT Kerberos for the principals (hope I'm > not > >>> forgetting anything). > >>> > >> FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA > >> LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA > >> schema. > >> > >> Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two > >> dozen additional plugins. These plugins either don't exist for OpenLDAP > >> at all or have different behavior and rely on different LDAP schema. > >> > >> In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be > >> used by MIT Kerberos LDAP driver because it doesn't know about that > >> data, and OpenLDAP server will not have the same behavior as expected by > >> IPA clients (SSSD) for IPA-specific mode. > >> > >> Whatever your production team is thinking about this move, it is most > >> certainly not properly thought out. > >> > >> -- > >> / Alexander Bokovoy > >> > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project