[Freeipa-devel] freeIPA and NIS
Rob Crittenden
rcritten at redhat.com
Fri Aug 8 12:43:39 UTC 2008
Ahmed Kamal wrote:
> Hi,
> Thanks for freeIPA, keep up the awesome work. I have a couple of
> questions please
>
> -Does freeIPA offer a migration path off of NIS ? (to maintain same
> UID/GIDs) ?
We don't currently provide any tools for this, no. It should be possible
to migrate the user/group information over using the admin tools. It is
possible to set UID and GID values with those (as a modify after the
user/group is added).
> -Can the freeIPA server present itself as a NIS server as well (same
> UID/GID), this is for clients that can't join freeIPA domain (like NAS
> boxes?)
A plugin is being developed for the directory server that can act as a
NIS server. It was recently approved for inclusion in Fedora but has not
yet been built. You can follow its progress at
https://bugzilla.redhat.com/show_bug.cgi?id=456150
We are initially focusing on the "Schema Compatibility" plugin provided
by that so that Solaris nss_ldap will work out-of-the-box and we don't
need to use the PADL version. This will make it easier for workstations
to join without having to install and configure additional software. The
problem is that Solaris doesn't handle the memberOf attribute at all.
> -I am considering running open-solaris (for ZFS as a storage box), did
> any of you guys try joining that to freeIPA ? Any idea of their
> in-kernel CIFS server would recognize users uid/gid as stored in ldap
> and that would be the same as used on NFS!
I don't believe we tried that specifically but 8, 9 and 10 work ok so it
is probably a fairly safe assumption that this will work. I would assume
that the OS would rely on whatever nss said the uid/gid numbers were so
I would think it would work the same with CIFS and NFS (and everything
else).
> -FreeIPA2 should be out fairly soon, is there a final word on how the
> Windows integration is going to look like (particularly if there's no AD) ?
We are still working on this piece. The first step is going to be some
limited syncing of users and passwords, later adding a more robust solution.
If you have any specific needs please let us know. This can be very
complex as some people want to only sync certain parts of their tree,
only in one direction, etc. So the more requirements we gather the
better the first release will be.
thanks
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080808/11eb6da7/attachment.bin>
More information about the Freeipa-devel
mailing list