Dear freeIPA team,
I am not facing any issue with freeIPA, only preparing a migration to trust domains. I hope someone will have time to answer my question.
Today, my infrastructure is Win2008R2 AD (with posix attributes). Linux machines are added to AD 2008 R2 domain as single system (using SSSD). Homedir of my users are centralized on a Netapp FAS2040, configured in mixed environnement (AD + NIS). Win2008R2 server is also configured as NIS serveur. On the Netapp, NIS server is set to my Win2008R2 ip adress.
For the future, I would like to ugrade to Win2012R2, and install a freeIPA with trust and view (for AD users mapping to unix attributes), and keep my NetApp FAS for the homedir. What will become with the NIS configuration on the NETAPP FAS ? Will the freeipa server can work as NIS server for the netapp if only views are added for my AD user posix mapping ? I notice that freeIPA can be configured as limited NIS server (http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/migrating-from-nis.html) with # ipa-nis-manage enable
Can it be a solution ?
Best Regards, Ed
The question translates to: is nis-plugin using compat tree?
I think the answer is no. Can it be made so with some reconfiguration - probably. But before we go this route I would like to understand the NIS requirement. Can NetApp filer support LDAP rather than NIS? If yes I suggest exploring the LDAP configuration filer rather than NIS.
Hello,
Thank you for the answer. Yes, my Netapp filer supports LDAP ; but volumes are configured in mixed mode (security style), in order to enable access to both AD windows users + NFS users with NIS. I am not expert in Netapp configuration, I do not know if there is a way to keep mixed mode with CIFS (ntfs AD controler) + LDAP (posix freeIPA controler). Does the way you suggest was to configure only LDAP ?
I am not an expert in NetApp devices either but yes, if the device supports mixed mode with NIS it most likely supports mixed mode with LDAP instead of NIS.
Ok, this is a good news. For LDAP athentication, it should work with my freeIPA server only configured with views.
I have an other question, today i have a postfix-dovecot mailer configured to work with my AD server (/etc/pam.d/dovecot is a copy of /etc/pam.d/system-auth-ac of single system SSSD).
To change to freeIPA, I found this tutorial : http://www.freeipa.org/page/Dovecot_Integration
What about dovecot authentication if my freeIPA server is configured only with views ? Can it work as well ?
You can do authentication against the view but the password change would not work, it is yet not implemented. There is a ticket for that.
I am goiung to close the ticket as the issue seems to be resolved. Feel free to re-open. These questions are better asked on freeipa-users list.
Metadata Update from @edg91: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.