[Freeipa-devel] freeIPA and NIS

Rob Crittenden rcritten at redhat.com
Fri Aug 8 12:43:39 UTC 2008 

Ahmed Kamal wrote:
> Hi,
> Thanks for freeIPA, keep up the awesome work. I have a couple of 
> questions please
> 
> -Does freeIPA offer a migration path off of NIS ? (to maintain same 
> UID/GIDs) ?

We don't currently provide any tools for this, no. It should be possible 
to migrate the user/group information over using the admin tools. It is 
possible to set UID and GID values with those (as a modify after the 
user/group is added).

> -Can the freeIPA server present itself as a NIS server as well (same 
> UID/GID), this is for clients that can't join freeIPA domain (like NAS 
> boxes?)

A plugin is being developed for the directory server that can act as a 
NIS server. It was recently approved for inclusion in Fedora but has not 
yet been built. You can follow its progress at 
https://bugzilla.redhat.com/show_bug.cgi?id=456150

We are initially focusing on the "Schema Compatibility" plugin provided 
by that so that Solaris nss_ldap will work out-of-the-box and we don't 
need to use the PADL version. This will make it easier for workstations 
to join without having to install and configure additional software. The 
problem is that Solaris doesn't handle the memberOf attribute at all.

> -I am considering running open-solaris (for ZFS as a storage box), did 
> any of you guys try joining that to freeIPA ? Any idea of their 
> in-kernel CIFS server would recognize users uid/gid as stored in ldap 
> and that would be the same as used on NFS!

I don't believe we tried that specifically but 8, 9 and 10 work ok so it 
is probably a fairly safe assumption that this will work. I would assume 
that the OS would rely on whatever nss said the uid/gid numbers were so 
I would think it would work the same with CIFS and NFS (and everything 
else).

> -FreeIPA2 should be out fairly soon, is there a final word on how the 
> Windows integration is going to look like (particularly if there's no AD) ?

We are still working on this piece. The first step is going to be some 
limited syncing of users and passwords, later adding a more robust solution.

If you have any specific needs please let us know. This can be very 
complex as some people want to only sync certain parts of their tree, 
only in one direction, etc. So the more requirements we gather the 
better the first release will be.

thanks

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080808/11eb6da7/attachment.bin>

More information about the Freeipa-devel mailing list