[Freeipa-users] FreeIPA deployment questions (Open Directory)

Brian Topping topping at codehaus.org
Thu Feb 16 02:58:01 UTC 2012 

Hi Rob, thanks for your responses!

On Feb 15, 2012, at 12:16 AM, Rob Crittenden wrote:

> 389-ds is our LDAP server so we generally support what it can do. AFAIK it does not do replication with OD. What is it you want to replicate, what direction, etc?

It seems like users and groups are going to need to be synchronized, but I don't really know. OD has 'apple-user' and 'apple-group' schemas which have zero mandatory attributes.  FreeIPA has ipaObject which has the ipaUniqueid mandatory attribute.  

This is the first time I'm trying these things with LDAP, but it seems that the if an object is created on FreeIPA, could it be replicated to OD?  apple-user and apple-group have no mandatory attributes, and once it is replicated to OD, an admin could run Workgroup Manager and use the "migrate from legacy" tool on the object to create the OD attributes.  

So I guess that means I am replicating from FreeIPA to OD, but once changes are made on OD, can I replicate back with the additional attributes that are added?  If not, changes that are made on FreeIPA would seem to overwrite the new attributes added in OD.  Or is there a common way to do this?

Is this a reasonable approach or am I overcomplicating things?

> I've never used the Apache studio but others have reported success. It is probably just a matter of getting your basedn right (e.g. dc=example,dc=com) and perhaps providing a bind user (cn=Directory Manager). Are you getting specific error messages, that might help troubleshoot things.

Ok, for others who may follow, here's what worked for me on connecting with Apache DS:

1. Note that the Directory Manager dn is literally "cn=Directory Manager", not "cn=Directory Manager, dc=example, dc=com".  

2. If SSL is desired, be sure to remember to use port 636 instead of 389.  

This is probably covered in the docs, but alas.  :-)

Cheers, Brian

p.s. Rob, sorry I responded to you directly before, I didn't notice that this list uses "reply-to" of the sender and not the list.

More information about the Freeipa-users mailing list