Anyone using FreeIPA for LDAP authentication?

burgessja

I have seen FreeIPA start to gain a lot of traction in the enterprise due to its slick interface, expanding feature-set, and the backing of RedHat. We’re already using it at a few sites for local user authentication and for some web services. Has anyone here tried or successfully used FreeIPA as a LDAP backend for Kopano? I will be making my first attempt tomorrow, but It looks like FreeIPA is lacking some of the custom attributes that Kopano uses, and they’ll need to be imported.

fbartels

Hi @buressja ,

@dcuser and @MrManor have previously talked about using Kopano with FreeIPA, but I am not aware of any customer using it in a bigger environment.

MrManor

That is correct. I am currently running a test setup using FreeIPA as the LDAP for Kopano. I had to do some minor adjustments(1) in the LDAP schema for the 389 Directory Server to accept the Kopano attributes. After creating a kopano-daemon account and assigning read access to the relevant attributes, I have had no issues using FreeIPA in place for OpenLDAP. I have some notes from my install but they are all in Danish - sorry :-/

I have not yet made any investigation if it is possible to add management of the Kopano related attributes into the IPA user interface. For now I just added kopano-user to Default user objectclasses and manage content of the kopano specific attributes by other means.

My test setup only has 5 users, but I have no reason to believe that scaling would be any problem.

(1) I have temporary placed a copy of the modified schema file on my webserver. May bee the Kopano people ( @fbartels ?) would like to include it somewhere on the Kopano site.

burgessja

That schema seems to have worked for me! I am still testing everything, but the user accounts were synced and now show in kopano-admin -l and users can log in and send emails. Thank you!

If I write a FreeIPA Web UI plugin for the Kopano schema, i’ll share it here as well.

MrManor

Glad to be of help. If you happen to put effort in to single sign on, please share your experiences to.

fbartels

@mrmanor said in Anyone using FreeIPA for LDAP authentication?:

May bee the Kopano people ( @fbartels ?) would like to include it somewhere on the Kopano site.

I’m afraid that if we include it in our official documentation people will expect us to maintain such an integration as well (even if we would put an all caps disclaimer about it). I have meanwhile checked with our support staff and so far we have had zero request for FreeIPA from our customers.

But lets focus on something more positive. For the Schema and potential GUI integration I would recommend to start a small git repository. The easiest is to host such a repository at Github, but I can also provide a repository on our community Bitbucket (stash.z-hub.io). To share the news about the existence of your project we could easily include it in https://stash.z-hub.io/projects/COM/repos/projects-and-resources/browse as well.