Hi everybody,

I hope I chose the right forum for my question.

I'm evaluating IPA on Red Hat Enterprise 6.1 and everything works fine but I couldn't find anything neither on the documentation nor on internet about "how to setup multiple ldap domains".

Basically on Solaris 10 server I had three ldap domains: 1.com, 2.com and the globaldomain.com.
1.com and 2.com contained the referrals to the globaldomain.
Now I must reproduce this environment on Linux RHEL with IPA, but at the moment, I really can't find a way to do the same.

Is there someone who knows if is possible to setup multiple ldap domains on the same server and if is not, can you provide me the source of the information?
If really I can't do it, I have to proove that.

Thank you very much in advance.

Sintaxerror

Usually with ldap referrals you'd delegate a subtree like:

Server1: main.com
Server2: child.main.com

IPA uses a Fedora Directory Server so there's no reason you can't host multiple "domains". Try the documentation here, it's pretty heavy but covers a lot.

1 members found this post helpful.

Hi Kbp,

I'm trying to do something a little bit different with the referrals and as you said, IPA uses a Fedora Dir Server but according to the RHEL 6.1 IPA documentation, "Direct modifications to the DS data is strongly discouraged unless explicitly mentioned in the documentation.". And on the documentation they never refers to "domains creation". That action is performed only during the first installation or, don't know, probably during the migration.

In this case I need to follow almost exactly what is officially realeased with the IPA product for RHEL 6.1.
Create multiple domains doesn't seems to be possible using integrated IPA commands or GUI, that's why what I need to known is if there's a way to setup multiple ldap domains with IPA commands, or, if there's something official that says: "is possible to do with ldapmodify following this steps and it will not cause problems".

I don't know if I explained well what I'm looking for.. my english is not so good, sorry about that

Cheers.

Sintaxerror.

The whole purpose of IPA is to glue together all the components (ldap, kerberos, dns, ntp etc..) and make it easy to set up a single sign on / central authentication system, if you look at it from a windows point of view - you can't configure a server to be a domain controller for more than one domain.

When you say "domain" in terms of ldap it's not really accurate, ldap is just a directory and can host as many "trees" as you like. Kerberos is really the domain part as it provides single sign on to participating users.

I suppose what I'm trying to say is that you can have multiple domains but a host can't belong to more than one at a time so IPA won't give you that functionality on a single host. You can manage the ldap directory separately and add extra organisations or trees but they won't be part of IPA

hth