>>
> I tested FreeIPA thoroughly.
<cut>
> So I went with OpenLDAP.
>
> And on the client
> LDAP as ID provider
> Kerberos on AD as auth provider
Just FYI the 3.0 is supposed to address this scenario in the following way.
You make the AD your source of the DNS info
You add entries into AD DNS for the IPA servers so that they can resolve
themselves
You install clients with the argument that will tell the SSSD the names
of the IPA servers and with the argument to not perform any DNS discovery.
For the authentication you can use AD trust feature or sync users from
AD to IPA.
I suspect that you already sync accounts to OpenLDAP in some way.
SSSD can be told not to resolve DNS and use the fixed list of servers
even now in 1.8. It is the ipa-client that always sticks DNS resolution
configuration into the SSSD config but since you use the custom sssd
configuration anyways you might very well just remove the _srv_ from the
SSSD config using a simple script. This part will be fixed in 3.0 but
you have a workaround to try using freeipa 2.2 and adjusted SSSD config.
Thx for the info.
FreeIPA will be the next thing, and I believe in it, but not yet.
Problem: as LDAP (/IDM) is a very important part of infrastructure,
support is needed in a big company.
I can go without support for some months but....
Also:
- waiting on the audit part and some other features
- running on EL6 instead of Fedora
- ...