I tested FreeIPA thoroughly.
<cut>
So I went with OpenLDAP.
And on the client LDAP as ID provider Kerberos on AD as auth provider
Just FYI the 3.0 is supposed to address this scenario in the following way.
You make the AD your source of the DNS info You add entries into AD DNS for the IPA servers so that they can resolve themselves You install clients with the argument that will tell the SSSD the names of the IPA servers and with the argument to not perform any DNS discovery.
For the authentication you can use AD trust feature or sync users from AD to IPA. I suspect that you already sync accounts to OpenLDAP in some way.
SSSD can be told not to resolve DNS and use the fixed list of servers even now in 1.8. It is the ipa-client that always sticks DNS resolution configuration into the SSSD config but since you use the custom sssd configuration anyways you might very well just remove the _srv_ from the SSSD config using a simple script. This part will be fixed in 3.0 but you have a workaround to try using freeipa 2.2 and adjusted SSSD config.
Thx for the info.
FreeIPA will be the next thing, and I believe in it, but not yet. Problem: as LDAP (/IDM) is a very important part of infrastructure, support is needed in a big company.
I can go without support for some months but....
Also: - waiting on the audit part and some other features - running on EL6 instead of Fedora - ...