Discussion:
[Freeipa-users] Questions about FreeIPA vs 389DS
mailing lists
2012-09-13 13:01:53 UTC
Permalink
Hello all,

 It is difficult for newcomers to cope with all this 389DS/FreeIPA stuff, after reading the project documentation and several mail messages in the archives I still have some unanswered questions so I would be very grateful if list members could answer the following doubts.

I need use services in an Active Directory environment and the WinSync solution has important limitations, the MODRDN operation is not handled correctly losing the relation with AD objects (it delete and add the entry so a new SID and GUID is assigned), the upcoming "IPAv3 Trust" feature seems very promising because AFAIK no sinchronization is necessary, but by using IPA it seems very restrictive to support current applications which need a LDAP hierarchical tree, custom schema with custom objectclassess and attributes, custom ACLs for applications...... I know about Directory Server virtual views, but I'm worried about the consequences of low level manipulation of the FreeIPA Directory Server instance.

So how others are solving this paradox?
they run  389DS with (fractional) replication towards (or from) FreeIPA 389DS?
they add custom schemas to FreeIPA 389DS?
the do low level manipulation of FreeIPA 389DS for ACLs, plugin activation, ...?
what about upgrades after this modifications were done?
Rich Megginson
2012-09-13 14:57:31 UTC
Permalink
Post by mailing lists
Hello all,
It is difficult for newcomers to cope with all this 389DS/FreeIPA stuff, after reading the project documentation and several mail messages in the archives I still have some unanswered questions so I would be very grateful if list members could answer the following doubts.
I need use services in an Active Directory environment and the WinSync solution has important limitations, the MODRDN operation is not handled correctly losing the relation with AD objects (it delete and add the entry so a new SID and GUID is assigned),
What version of 389-ds-base are you using?
Post by mailing lists
the upcoming "IPAv3 Trust" feature seems very promising because AFAIK no sinchronization is necessary, but by using IPA it seems very restrictive to support current applications which need a LDAP hierarchical tree, custom schema with custom objectclassess and attributes, custom ACLs for applications...... I know about Directory Server virtual views, but I'm worried about the consequences of low level manipulation of the FreeIPA Directory Server instance.
So how others are solving this paradox?
they run 389DS with (fractional) replication towards (or from) FreeIPA 389DS?
they add custom schemas to FreeIPA 389DS?
the do low level manipulation of FreeIPA 389DS for ACLs, plugin activation, ...?
what about upgrades after this modifications were done?
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Dmitri Pal
2012-09-13 22:43:32 UTC
Permalink
Post by Rich Megginson
Post by mailing lists
Hello all,
It is difficult for newcomers to cope with all this 389DS/FreeIPA
stuff, after reading the project documentation and several mail
messages in the archives I still have some unanswered questions so I
would be very grateful if list members could answer the following
doubts.
I need use services in an Active Directory environment and the
WinSync solution has important limitations, the MODRDN operation is
not handled correctly losing the relation with AD objects (it delete
and add the entry so a new SID and GUID is assigned),
What version of 389-ds-base are you using?
Post by mailing lists
the upcoming "IPAv3 Trust" feature seems very promising because AFAIK
no sinchronization is necessary, but by using IPA it seems very
restrictive to support current applications which need a LDAP
hierarchical tree, custom schema with custom objectclassess and
attributes, custom ACLs for applications...... I know about Directory
Server virtual views, but I'm worried about the consequences of low
level manipulation of the FreeIPA Directory Server instance.
So how others are solving this paradox?
they run 389DS with (fractional) replication towards (or from) FreeIPA 389DS?
they add custom schemas to FreeIPA 389DS?
the do low level manipulation of FreeIPA 389DS for ACLs, plugin activation, ...?
what about upgrades after this modifications were done?
If you need this level of flexibility and customization 389 DS is
probably better for you than IPA.
It seems that you want to do a lot of "do it yourself" things. IPA is
more about "use as is with minor tweaks so that you do not need to do it
yourself".
Post by Rich Megginson
Post by mailing lists
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
mailing lists
2012-09-14 07:31:14 UTC
Permalink
Hi,
Post by Dmitri Pal
Post by Rich Megginson
Post by mailing lists
I need use services in an Active Directory environment and the
WinSync solution has important limitations, the MODRDN operation is
not handled correctly losing the relation with AD objects (it delete
and add the entry so a new SID and GUID is assigned),
What version of 389-ds-base are you using?
I did a test between W2008R2 and 389DS 1.2.10.2 and the result was that moving entries from the 389DS console, result in a delete/add operation in AD, so a new SID and GUID was generated, it broke the group membership and permissions of the AD entry and the relation between the 389DS entry and the AD entry also was broke.

I think it is related to Error #3 in the RHDS documentation:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Troubleshooting.html
Post by Dmitri Pal
Post by Rich Megginson
Post by mailing lists
the upcoming "IPAv3 Trust" feature seems very promising because AFAIK
no sinchronization is necessary, but by using IPA it seems very
restrictive to support current applications which need a LDAP
hierarchical tree, custom schema with custom objectclassess and
attributes, custom ACLs for applications...... I know about Directory
Server virtual views, but I'm worried about the consequences of low
level manipulation of the FreeIPA Directory Server instance.
So how others are solving this paradox?
they run  389DS with (fractional) replication towards (or from) FreeIPA 389DS?
they add custom schemas to FreeIPA 389DS?
the do low level manipulation of FreeIPA 389DS for ACLs, plugin activation, ...?
what about upgrades after this modifications were done?
If you need this level of flexibility and customization 389 DS is
probably better for you than IPA.
It seems that you want to do a lot of "do it yourself" things. IPA is
more about "use as is with minor tweaks so that you do not need to do it
yourself".
I do not want "do it yourself" things if it isn't strictly necessary, but for the external aplications, the legacy ones, etc... it is necesary a minimum level de flexibility. My questions were about as other admins did to solve this inconvenient. Really anyone was in a similar situation?

I wonder if it is possible configure 389DS with samba4 to create a forest trust with AD without FreeIPA ....
Simo Sorce
2012-09-14 12:26:00 UTC
Permalink
Post by mailing lists
Post by Dmitri Pal
Post by mailing lists
the upcoming "IPAv3 Trust" feature seems very promising because AFAIK
no sinchronization is necessary, but by using IPA it seems very
restrictive to support current applications which need a LDAP
hierarchical tree, custom schema with custom objectclassess and
attributes, custom ACLs for applications...... I know about Directory
Server virtual views, but I'm worried about the consequences of low
level manipulation of the FreeIPA Directory Server instance.
So how others are solving this paradox?
they run 389DS with (fractional) replication towards (or from) FreeIPA 389DS?
they add custom schemas to FreeIPA 389DS?
the do low level manipulation of FreeIPA 389DS for ACLs, plugin activation, ...?
what about upgrades after this modifications were done?
If you need this level of flexibility and customization 389 DS is
probably better for you than IPA.
It seems that you want to do a lot of "do it yourself" things. IPA is
more about "use as is with minor tweaks so that you do not need to do it
yourself".
I do not want "do it yourself" things if it isn't strictly necessary,
but for the external aplications, the legacy ones, etc... it is
necesary a minimum level de flexibility. My questions were about as
other admins did to solve this inconvenient. Really anyone was in a
similar situation?
It is not clear to me what kind of flexibility you think you need.

The user tree is flat, but you can create a custom subtree and use
custom schema otherwise, just like with any LDAP server.
I have yet to find an application that dictates a hierarchical tree for
users.
Post by mailing lists
I wonder if it is possible configure 389DS with samba4 to create a
forest trust with AD without FreeIPA ....
No, samba4 DC does not support yet trust relationships.
And Samba4 also only support using the embedded LDAP server, support for
using third party directories has been dropped a long while ago.

Simo.
--
Simo Sorce * Red Hat, Inc * New York
Rich Megginson
2012-09-14 14:30:11 UTC
Permalink
Post by mailing lists
Hi,
Post by Dmitri Pal
Post by Rich Megginson
Post by mailing lists
I need use services in an Active Directory environment and the
WinSync solution has important limitations, the MODRDN operation is
not handled correctly losing the relation with AD objects (it delete
and add the entry so a new SID and GUID is assigned),
What version of 389-ds-base are you using?
I did a test between W2008R2 and 389DS 1.2.10.2 and the result was that moving entries from the 389DS console, result in a delete/add operation in AD, so a new SID and GUID was generated, it broke the group membership and permissions of the AD entry and the relation between the 389DS entry and the AD entry also was broke.
This is a problem with the 389 console. It doesn't support entry move
or subtree rename. It is doing a delete/add. If you use ldapmodify
with changetype: modrdn you should be able to see entry moves and
subtree renames.
Post by mailing lists
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Troubleshooting.html
Post by Dmitri Pal
Post by Rich Megginson
Post by mailing lists
the upcoming "IPAv3 Trust" feature seems very promising because AFAIK
no sinchronization is necessary, but by using IPA it seems very
restrictive to support current applications which need a LDAP
hierarchical tree, custom schema with custom objectclassess and
attributes, custom ACLs for applications...... I know about Directory
Server virtual views, but I'm worried about the consequences of low
level manipulation of the FreeIPA Directory Server instance.
So how others are solving this paradox?
they run 389DS with (fractional) replication towards (or from) FreeIPA 389DS?
they add custom schemas to FreeIPA 389DS?
the do low level manipulation of FreeIPA 389DS for ACLs, plugin activation, ...?
what about upgrades after this modifications were done?
If you need this level of flexibility and customization 389 DS is
probably better for you than IPA.
It seems that you want to do a lot of "do it yourself" things. IPA is
more about "use as is with minor tweaks so that you do not need to do it
yourself".
I do not want "do it yourself" things if it isn't strictly necessary, but for the external aplications, the legacy ones, etc... it is necesary a minimum level de flexibility. My questions were about as other admins did to solve this inconvenient. Really anyone was in a similar situation?
I wonder if it is possible configure 389DS with samba4 to create a forest trust with AD without FreeIPA ....
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Loading...