[Freeipa-users] How to migrate from freeipa distribution to separate components

[bahan w]

Hello !

I send you this mail because I have a question relative to the migration
from the IPA distribution to the separate components.

With FreeIPA, we are using only :
- MIT Kerberos
- DS389
- The PKI CA is installed but not used from our side

Is it possible to migrate to the following separate components :
- MIT Kerberos (we keep the same)
- OpenLDAP

I often found documentation to migrate from MIT Kerberos and OpenLDAP to
FreeIPA but not the opposite.

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

[Simo Sorce]

On Wed, 2016-01-13 at 14:54 +0100, bahan w wrote:
> Hello !
> 
> I send you this mail because I have a question relative to the migration
> from the IPA distribution to the separate components.
> 
> With FreeIPA, we are using only :
> - MIT Kerberos
> - DS389
> - The PKI CA is installed but not used from our side
> 
> Is it possible to migrate to the following separate components :
> - MIT Kerberos (we keep the same)
> - OpenLDAP
> 
> I often found documentation to migrate from MIT Kerberos and OpenLDAP to
> FreeIPA but not the opposite.

Can you explain what you mean by "migrate to the following separate
components" ? And why you want to do so ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

[Simo Sorce]

On Wed, 2016-01-13 at 17:10 +0100, bahan w wrote:
> Re !
> 
> Thank both of you again for your answers, guys.
> 
> Simo, I would be very interested in this feature list in fact.
> Do you know if there is a way to find it ?
> I would really need it, it would help a lot.

You can start from here: http://www.freeipa.org/page/Documentation
For example under the "by component" part although that does not make
you understand all the work behind the installer, which was the first
big chunk of work when we started 8 years ago.

Simo.

> Best regards.
> 
> Bahan
> 
> On Wed, Jan 13, 2016 at 4:11 PM, Martin Kosek  wrote:
> 
> > On 01/13/2016 03:57 PM, bahan w wrote:
> > > Re.
> > >
> > > Thanks both of you for your answers.
> > >
> > > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the
> > same
> > > kind of service that we want from IPA, even if it is not embedded in
> > > integrated solution like IPA.
> > >
> > > I totally agree that IPA provides a lot of things but I am quite sure the
> > > isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and
> > a
> > > cache client like sssd or nscd/nslcd can work.
> >
> > It "can" work. But home grown solutions like that require non-trivial
> > effort to
> > even get started.
> >
> > As soon as you have more requests on such home grown infrastructure, you
> > will
> > need to implement enhancements (like something cert or DNS related). At
> > that
> > moment, you may realize you are re-implementing what FreeIPA may support
> > already. FreeIPA project was started for a reason :-)
> >
> > > Alexander, when I mention migration, I think of the following actions :
> > > 1. Take the principals that we have for the KDC and recreate them in an
> > MIT
> > > Kerberos KDC architecture
> > > 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an
> > > openLDAP architecture
> > >
> > > Do you know if there is other things necessary to recreate in the LDAP or
> > > in the KDC ?
> > >
> > > Additionnaly, do you have a list of points which could help to convince
> > to
> > > keep the freeipa architecture ?
> > >
> > > Best regards.
> > >
> > > Bahan
> > >
> > > On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy 
> > > wrote:
> > >
> > >> On Wed, 13 Jan 2016, bahan w wrote:
> > >>
> > >>> Hello Simo !
> > >>>
> > >>> For the reason :
> > >>> The production team wants to use only the two components openLDAP and
> > MIT
> > >>> Kerberos, possibily on different servers.
> > >>>
> > >>> For the explanation :
> > >>> They want to install only MIT Kerberos and openLDAP.
> > >>> We already have an existing FreeIPA installation, with users, groups,
> > >>> principals, pwpolicies.
> > >>> We would like to migrate this to an openLDAP for the users, groups and
> > >>> pwpolicies, and to another MIT Kerberos for the principals (hope I'm
> > not
> > >>> forgetting anything).
> > >>>
> > >> FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA
> > >> LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA
> > >> schema.
> > >>
> > >> Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two
> > >> dozen additional plugins. These plugins either don't exist for OpenLDAP
> > >> at all or have different behavior and rely on different LDAP schema.
> > >>
> > >> In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be
> > >> used by MIT Kerberos LDAP driver because it doesn't know about that
> > >> data, and OpenLDAP server will not have the same behavior as expected by
> > >> IPA clients (SSSD) for IPA-specific mode.
> > >>
> > >> Whatever your production team is thinking about this move, it is most
> > >> certainly not properly thought out.
> > >>
> > >> --
> > >> / Alexander Bokovoy
> > >>
> > >
> > >
> > >
> >
> >
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

[bahan w]

Re !

Thank both of you again for your answers, guys.

Simo, I would be very interested in this feature list in fact.
Do you know if there is a way to find it ?
I would really need it, it would help a lot.

Best regards.

Bahan

On Wed, Jan 13, 2016 at 4:11 PM, Martin Kosek  wrote:

> On 01/13/2016 03:57 PM, bahan w wrote:
> > Re.
> >
> > Thanks both of you for your answers.
> >
> > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the
> same
> > kind of service that we want from IPA, even if it is not embedded in
> > integrated solution like IPA.
> >
> > I totally agree that IPA provides a lot of things but I am quite sure the
> > isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and
> a
> > cache client like sssd or nscd/nslcd can work.
>
> It "can" work. But home grown solutions like that require non-trivial
> effort to
> even get started.
>
> As soon as you have more requests on such home grown infrastructure, you
> will
> need to implement enhancements (like something cert or DNS related). At
> that
> moment, you may realize you are re-implementing what FreeIPA may support
> already. FreeIPA project was started for a reason :-)
>
> > Alexander, when I mention migration, I think of the following actions :
> > 1. Take the principals that we have for the KDC and recreate them in an
> MIT
> > Kerberos KDC architecture
> > 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an
> > openLDAP architecture
> >
> > Do you know if there is other things necessary to recreate in the LDAP or
> > in the KDC ?
> >
> > Additionnaly, do you have a list of points which could help to convince
> to
> > keep the freeipa architecture ?
> >
> > Best regards.
> >
> > Bahan
> >
> > On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy 
> > wrote:
> >
> >> On Wed, 13 Jan 2016, bahan w wrote:
> >>
> >>> Hello Simo !
> >>>
> >>> For the reason :
> >>> The production team wants to use only the two components openLDAP and
> MIT
> >>> Kerberos, possibily on different servers.
> >>>
> >>> For the explanation :
> >>> They want to install only MIT Kerberos and openLDAP.
> >>> We already have an existing FreeIPA installation, with users, groups,
> >>> principals, pwpolicies.
> >>> We would like to migrate this to an openLDAP for the users, groups and
> >>> pwpolicies, and to another MIT Kerberos for the principals (hope I'm
> not
> >>> forgetting anything).
> >>>
> >> FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA
> >> LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA
> >> schema.
> >>
> >> Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two
> >> dozen additional plugins. These plugins either don't exist for OpenLDAP
> >> at all or have different behavior and rely on different LDAP schema.
> >>
> >> In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be
> >> used by MIT Kerberos LDAP driver because it doesn't know about that
> >> data, and OpenLDAP server will not have the same behavior as expected by
> >> IPA clients (SSSD) for IPA-specific mode.
> >>
> >> Whatever your production team is thinking about this move, it is most
> >> certainly not properly thought out.
> >>
> >> --
> >> / Alexander Bokovoy
> >>
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

[Martin Kosek]

On 01/13/2016 03:57 PM, bahan w wrote:
> Re.
> 
> Thanks both of you for your answers.
> 
> Simo, MIT Kerberos and OpenLDAP can work on their own and provide the same
> kind of service that we want from IPA, even if it is not embedded in
> integrated solution like IPA.
> 
> I totally agree that IPA provides a lot of things but I am quite sure the
> isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and a
> cache client like sssd or nscd/nslcd can work.

It "can" work. But home grown solutions like that require non-trivial effort to
even get started.

As soon as you have more requests on such home grown infrastructure, you will
need to implement enhancements (like something cert or DNS related). At that
moment, you may realize you are re-implementing what FreeIPA may support
already. FreeIPA project was started for a reason :-)

> Alexander, when I mention migration, I think of the following actions :
> 1. Take the principals that we have for the KDC and recreate them in an MIT
> Kerberos KDC architecture
> 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an
> openLDAP architecture
> 
> Do you know if there is other things necessary to recreate in the LDAP or
> in the KDC ?
> 
> Additionnaly, do you have a list of points which could help to convince to
> keep the freeipa architecture ?
> 
> Best regards.
> 
> Bahan
> 
> On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy 
> wrote:
> 
>> On Wed, 13 Jan 2016, bahan w wrote:
>>
>>> Hello Simo !
>>>
>>> For the reason :
>>> The production team wants to use only the two components openLDAP and MIT
>>> Kerberos, possibily on different servers.
>>>
>>> For the explanation :
>>> They want to install only MIT Kerberos and openLDAP.
>>> We already have an existing FreeIPA installation, with users, groups,
>>> principals, pwpolicies.
>>> We would like to migrate this to an openLDAP for the users, groups and
>>> pwpolicies, and to another MIT Kerberos for the principals (hope I'm not
>>> forgetting anything).
>>>
>> FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA
>> LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA
>> schema.
>>
>> Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two
>> dozen additional plugins. These plugins either don't exist for OpenLDAP
>> at all or have different behavior and rely on different LDAP schema.
>>
>> In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be
>> used by MIT Kerberos LDAP driver because it doesn't know about that
>> data, and OpenLDAP server will not have the same behavior as expected by
>> IPA clients (SSSD) for IPA-specific mode.
>>
>> Whatever your production team is thinking about this move, it is most
>> certainly not properly thought out.
>>
>> --
>> / Alexander Bokovoy
>>
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

[Loris Santamaria]

El mié, 13-01-2016 a las 15:57 +0100, bahan w escribió:
> Re.
> 
> Thanks both of you for your answers.
> 
> Simo, MIT Kerberos and OpenLDAP can work on their own and provide the
> same kind of service that we want from IPA, even if it is not
> embedded in integrated solution like IPA.
> 
> I totally agree that IPA provides a lot of things but I am quite sure
> the isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for
> LDAP and a cache client like sssd or nscd/nslcd can work.
Yes, they work. I installed some similar solutions ten years ago. Then
i began using freeipa and never looked back.
> Alexander, when I mention migration, I think of the following actions
> :> 1. Take the principals that we have for the KDC and recreate them in an 
> MIT Kerberos KDC architecture> 2. Take the users/groups/pwpolicies in the 
> LDAP and recreate them in an openLDAP architecture> 
> 
You should first setup openldap following their various howto, then
setup kerberos with the ldap kdb driver, then dump ldap data from IPA,
massage it in something acceptable for openldap and your chosen schema,
then add it using ldapadd or slapadd. After that you'll want to tune
openldap and add all the needed indexes. You should think about
replication. You should think about security. You should think about
ldap administration.
Good luck, you will need it.
> Do you know if there is other things necessary to recreate in the
> LDAP or in the KDC ?> 
> Additionnaly, do you have a list of points which could help to convince to 
> keep the freeipa architecture ?> > Best regards.> 
> Bahan

> On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy > >  
> wrote:
> > On Wed, 13 Jan 2016, bahan w wrote:
> > 
> > > 
> > > Hello Simo !
> > > 

> > > 
> > > For the reason :
> > > 
> > > The production team wants to use only the two components openLDAP and MIT
> > > 
> > > Kerberos, possibily on different servers.
> > > 

> > > 
> > > For the explanation :
> > > 
> > > They want to install only MIT Kerberos and openLDAP.
> > > 
> > > We already have an existing FreeIPA installation, with users, groups,
> > > 
> > > principals, pwpolicies.
> > > 
> > > We would like to migrate this to an openLDAP for the users, groups and
> > > 
> > > pwpolicies, and to another MIT Kerberos for the principals (hope I'm not
> > > 
> > > forgetting anything).
> > > 
> > 
> > FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA
> > 
> > LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA
> > 
> > schema.
> > 

> > 
> > Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two
> > 
> > dozen additional plugins. These plugins either don't exist for OpenLDAP
> > 
> > at all or have different behavior and rely on different LDAP schema.
> > 

> > 
> > In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be
> > 
> > used by MIT Kerberos LDAP driver because it doesn't know about that
> > 
> > data, and OpenLDAP server will not have the same behavior as expected by
> > 
> > IPA clients (SSSD) for IPA-specific mode.
> > 

> > 
> > Whatever your production team is thinking about this move, it is most
> > 
> > certainly not properly thought out.
> > 

> > 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > 
https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > Go to http://freeipa.org for more info on the project
-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve

"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford



smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

[bahan w]

Hello Simo !

For the reason :
The production team wants to use only the two components openLDAP and MIT
Kerberos, possibily on different servers.

For the explanation :
They want to install only MIT Kerberos and openLDAP.
We already have an existing FreeIPA installation, with users, groups,
principals, pwpolicies.
We would like to migrate this to an openLDAP for the users, groups and
pwpolicies, and to another MIT Kerberos for the principals (hope I'm not
forgetting anything).

Best regards.

Bahan

On Wed, Jan 13, 2016 at 2:58 PM, Simo Sorce  wrote:

> On Wed, 2016-01-13 at 14:54 +0100, bahan w wrote:
> > Hello !
> >
> > I send you this mail because I have a question relative to the migration
> > from the IPA distribution to the separate components.
> >
> > With FreeIPA, we are using only :
> > - MIT Kerberos
> > - DS389
> > - The PKI CA is installed but not used from our side
> >
> > Is it possible to migrate to the following separate components :
> > - MIT Kerberos (we keep the same)
> > - OpenLDAP
> >
> > I often found documentation to migrate from MIT Kerberos and OpenLDAP to
> > FreeIPA but not the opposite.
>
> Can you explain what you mean by "migrate to the following separate
> components" ? And why you want to do so ?
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

[Alexander Bokovoy]

On Wed, 13 Jan 2016, bahan w wrote:

Hello Simo !

For the reason :
The production team wants to use only the two components openLDAP and MIT
Kerberos, possibily on different servers.

For the explanation :
They want to install only MIT Kerberos and openLDAP.
We already have an existing FreeIPA installation, with users, groups,
principals, pwpolicies.
We would like to migrate this to an openLDAP for the users, groups and
pwpolicies, and to another MIT Kerberos for the principals (hope I'm not
forgetting anything).

FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA
LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA
schema.

Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two
dozen additional plugins. These plugins either don't exist for OpenLDAP
at all or have different behavior and rely on different LDAP schema.

In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be
used by MIT Kerberos LDAP driver because it doesn't know about that
data, and OpenLDAP server will not have the same behavior as expected by
IPA clients (SSSD) for IPA-specific mode.

Whatever your production team is thinking about this move, it is most
certainly not properly thought out.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

[Simo Sorce]

On Wed, 2016-01-13 at 15:10 +0100, bahan w wrote:
> Hello Simo !
> 
> For the reason :
> The production team wants to use only the two components openLDAP and MIT
> Kerberos, possibily on different servers.
> 
> For the explanation :
> They want to install only MIT Kerberos and openLDAP.
> We already have an existing FreeIPA installation, with users, groups,
> principals, pwpolicies.
> We would like to migrate this to an openLDAP for the users, groups and
> pwpolicies, and to another MIT Kerberos for the principals (hope I'm not
> forgetting anything).

Sorry but FreeIPA is not just a generic directory server and an MIT KDC,
it is an integrated solution. There is no path to use loose parts
instead of the integrated set.

I do not mean this snarkly in any way, but with a car analogy what you
asked is something like: Can we migrate this Toyota Corolla to a set of
loose parts (including and engine from Mercedes and the chassis of an
Honda) that our mechanic can put together ? 

Simo.

> Best regards.
> 
> Bahan
> 
> On Wed, Jan 13, 2016 at 2:58 PM, Simo Sorce  wrote:
> 
> > On Wed, 2016-01-13 at 14:54 +0100, bahan w wrote:
> > > Hello !
> > >
> > > I send you this mail because I have a question relative to the migration
> > > from the IPA distribution to the separate components.
> > >
> > > With FreeIPA, we are using only :
> > > - MIT Kerberos
> > > - DS389
> > > - The PKI CA is installed but not used from our side
> > >
> > > Is it possible to migrate to the following separate components :
> > > - MIT Kerberos (we keep the same)
> > > - OpenLDAP
> > >
> > > I often found documentation to migrate from MIT Kerberos and OpenLDAP to
> > > FreeIPA but not the opposite.
> >
> > Can you explain what you mean by "migrate to the following separate
> > components" ? And why you want to do so ?
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> >


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

[bahan w]

Re.

Thanks both of you for your answers.

Simo, MIT Kerberos and OpenLDAP can work on their own and provide the same
kind of service that we want from IPA, even if it is not embedded in
integrated solution like IPA.

I totally agree that IPA provides a lot of things but I am quite sure the
isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and a
cache client like sssd or nscd/nslcd can work.

Alexander, when I mention migration, I think of the following actions :
1. Take the principals that we have for the KDC and recreate them in an MIT
Kerberos KDC architecture
2. Take the users/groups/pwpolicies in the LDAP and recreate them in an
openLDAP architecture

Do you know if there is other things necessary to recreate in the LDAP or
in the KDC ?

Additionnaly, do you have a list of points which could help to convince to
keep the freeipa architecture ?

Best regards.

Bahan

On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy 
wrote:

> On Wed, 13 Jan 2016, bahan w wrote:
>
>> Hello Simo !
>>
>> For the reason :
>> The production team wants to use only the two components openLDAP and MIT
>> Kerberos, possibily on different servers.
>>
>> For the explanation :
>> They want to install only MIT Kerberos and openLDAP.
>> We already have an existing FreeIPA installation, with users, groups,
>> principals, pwpolicies.
>> We would like to migrate this to an openLDAP for the users, groups and
>> pwpolicies, and to another MIT Kerberos for the principals (hope I'm not
>> forgetting anything).
>>
> FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA
> LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA
> schema.
>
> Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two
> dozen additional plugins. These plugins either don't exist for OpenLDAP
> at all or have different behavior and rely on different LDAP schema.
>
> In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be
> used by MIT Kerberos LDAP driver because it doesn't know about that
> data, and OpenLDAP server will not have the same behavior as expected by
> IPA clients (SSSD) for IPA-specific mode.
>
> Whatever your production team is thinking about this move, it is most
> certainly not properly thought out.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

[Simo Sorce]

On Wed, 2016-01-13 at 15:57 +0100, bahan w wrote:
> Re.
> 
> Thanks both of you for your answers.
> 
> Simo, MIT Kerberos and OpenLDAP can work on their own and provide the same
> kind of service that we want from IPA, even if it is not embedded in
> integrated solution like IPA.
> 
> I totally agree that IPA provides a lot of things but I am quite sure the
> isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and a
> cache client like sssd or nscd/nslcd can work.

I know they *can* work, but there is no "migration" path there because
they are not a solution, they are a bag of parts you need to manually
configure and integrate on your own.

> Alexander, when I mention migration, I think of the following actions :
> 1. Take the principals that we have for the KDC and recreate them in an MIT
> Kerberos KDC architecture

If you know how to deploy openldap+MIT kdc you should know how to do
this, if you do not  you should ask yourself if you can support your
plan, because you'll be on your own there.

> 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an
> openLDAP architecture

This is also just a matter of playing with LDIFs (depending on how close
or far the schema you'll chose for your custom soution is) and you
should know how to do this if you are planning on your own custom setup.
Again if you don't you should ask yourself how likely it is you'll be
able to support yourself.

> Do you know if there is other things necessary to recreate in the LDAP or
> in the KDC ?

Look at kdb5_ldap_util from MIT krb5.

> Additionnaly, do you have a list of points which could help to convince to
> keep the freeipa architecture ?

The FreeIPA installer goes through a few hundred steps just to set up
the system, and this does not take in accoount the integration plpugins
we built, and the management features that will be completely missing in
a bare openldap+mit system for things as simple as "allow a non-ldap
expert to create a user, manage its passwords and groups", also Access
control, delegation, etc... the feature list is huge.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project