<div> </div>
<div>Has anyone on the list set up such as scheme for adding posix attributes to users synced from AD, and would like to comment on this approach?</div>
<div> </div>
<div>I'm thinking that maybe running a cron job (for example a couple of times an hour) that searches for newly added users, then using "ldapmodify" to add the required posix attributes, may be the way to go. </div>

<div> </div>
<div> </div>
<div>Regards,</div>
<div>Kenneth<br><br> </div>
<div><span class="gmail_quote">On 11/10/08, <b class="gmail_sendername">Rich Megginson</b> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><span class="q">Kenneth Holter wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Thank you for your reply.<br> Yes you understood me correctly - I ment it doesn't seem like Windows Sync is intended for Linux machine login (via SSH to be precise) to "just work" with no additional work. I'm sorry that I wasn't too clear on this.<br>
 Is it so that one usually has a AD/DS setup like this:<br><br>   * users/passwords are synced from AD to DS<br>   * the new users are exported to ldif file, added things such as<br>     <span class="st" id="st" name="st">posix</span> attributes, and reimported into DS<br>
   * users can now log into linux servers (via SSH) that are properly<br>     configured as LDAP clients<br><br>? Just trying to get an understanding of how one usualy set up AD and DS to work together.<br></blockquote></span>I think that's how it usually goes.  Perhaps some other folks that are doing this will chime in.<br>
<br>freeIPA will soon have support for automatic creation of AD user accounts in IPA, including all of the <span class="st" id="st" name="st">posix</span> and kerberos attributes needed for OS login.  See <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://freeipa.org/" target="_blank">freeipa.org</a><br>

<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><span class="q"> <br> On 11/7/08, *Rich Megginson* <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>> wrote:<br>
<br>   Kenneth Holter wrote:<br><br>        I'm not very into fedora/redhat direcoty server (DS), but<br>       thought I'd just drop a quick question: It doesn't seems like<br>       Windows Sync is intended for syncing  AD users to DS so that<br>
       users defined on AD can be allowed to log into Linux machines.<br><br>   I'm not sure what you mean by that.  Do you mean because the <span class="st" id="st" name="st">posix</span><br>   attributes are not synced, you cannot create a user in AD that is<br>
   synced to Fedora DS and Linux machine login "just works" with no<br>   additional work?<br><br>       It is possible to get this working, however, through a series<br>       of manual steps. So what is the intended purpose for Windows<br>
       Sync, if I might ask, as it seems a lot simpler just to manage<br>       everything directly from DS without syncing with AD?<br><br>   I think most people use it to sync passwords, so that you can have<br>   the same password on AD as Unix/Linux, and when you change the<br>
   password on one side, that change is synced to the other side.<br><br>         Regards,<br>       Kenneth Holter<br><br>        On 11/6/08, *Rich Megginson* <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a><br>
</span>       <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a><span class="q"><br>
       <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>>> wrote:<br><br>          Erling Ringen Elvsrud wrote:<br><br>
              On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson<br>              <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>><br>
</span>
<div><span class="e" id="q_11d871eb39d7adfc_5">       <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>>> wrote:<br>
              [...]<br>                                That should work.  But note that posix attributes<br>       will not<br>                  sync to AD.  And<br>                  even if you did manage to find a posix schema that<br>
       worked<br>                  with AD, and added<br>                  the posix schema on the AD side, those attributes would<br>                  not be synced to<br>                  Fedora DS.<br>                    <br>
              Thanks for your answer.<br><br>              I start to wonder if Windows sync is worth the trouble.<br>       At my<br>              site we<br>              will probably not implement password sync as the<br>
       AD-side is very<br>              restrictive about installing anything.<br><br>          I hear this all the time - AD admins are very touchy about<br>          installing anything, especially some piece of random open<br>
       source<br>          software that's going to intercept clear text passwords and<br>       send<br>          them who-knows-where<br><br>              So what I get is basically a<br>              skeleton that I have to populate with the posixUser<br>
       attributes.<br><br>              Another issue is groups in AD. I suppose those groups<br>       will become<br>              regular unix-groups on the directory server side,<br><br>          Yes.  But note - not posix groups (posixGroup) but plain groups<br>
          (groupOfUniqueNames)<br><br>              which might not<br>              be enough for all policing needs (may need netgroups in<br>       addition).<br>                        Sure.<br><br>              We will probably have maximum a few hundred users in the<br>
              directory, do<br>              you think Windows-sync is worth the bother?<br>                        I suggest you take a look at Penrose<br>          <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://docs.safehaus.org/display/PENROSE/Home" target="_blank">http://docs.safehaus.org/display/PENROSE/Home</a><br>
<br>              Erling<br><br>              --<br>              Fedora-directory-users mailing list<br>              <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
       <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>><br>              <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
       <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>>><br>                    <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
              <br>          --<br>          Fedora-directory-users mailing list<br>          <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
       <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>><br>          <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
       <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>>><br>          <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
<br><br>       ------------------------------------------------------------------------<br><br>       --<br>       Fedora-directory-users mailing list<br>       <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
       <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>><br>       <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
        <br><br>   --<br>   Fedora-directory-users mailing list<br>   <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
   <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>><br>   <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
<br><br>------------------------------------------------------------------------<br><br>--<br>Fedora-directory-users mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
<a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br> <br></span></div>
</blockquote>
<div><span class="e" id="q_11d871eb39d7adfc_7"><br>--<br>Fedora-directory-users mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
<a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br></span></div>
</blockquote></div><br>