<div> </div>
<div>Has anyone on the list set up such as scheme for adding posix attributes to users synced from AD, and would like to comment on this approach?</div>
<div> </div>
<div>I'm thinking that maybe running a cron job (for example a couple of times an hour) that searches for newly added users, then using "ldapmodify" to add the required posix attributes, may be the way to go. </div>
<div> </div>
<div> </div>
<div>Regards,</div>
<div>Kenneth<br><br> </div>
<div><span class="gmail_quote">On 11/10/08, <b class="gmail_sendername">Rich Megginson</b> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><span class="q">Kenneth Holter wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Thank you for your reply.<br> Yes you understood me correctly - I ment it doesn't seem like Windows Sync is intended for Linux machine login (via SSH to be precise) to "just work" with no additional work. I'm sorry that I wasn't too clear on this.<br>
Is it so that one usually has a AD/DS setup like this:<br><br> * users/passwords are synced from AD to DS<br> * the new users are exported to ldif file, added things such as<br> <span class="st" id="st" name="st">posix</span> attributes, and reimported into DS<br>
* users can now log into linux servers (via SSH) that are properly<br> configured as LDAP clients<br><br>? Just trying to get an understanding of how one usualy set up AD and DS to work together.<br></blockquote></span>I think that's how it usually goes. Perhaps some other folks that are doing this will chime in.<br>
<br>freeIPA will soon have support for automatic creation of AD user accounts in IPA, including all of the <span class="st" id="st" name="st">posix</span> and kerberos attributes needed for OS login. See <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://freeipa.org/" target="_blank">freeipa.org</a><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><span class="q"> <br> On 11/7/08, *Rich Megginson* <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>> wrote:<br>
<br> Kenneth Holter wrote:<br><br> I'm not very into fedora/redhat direcoty server (DS), but<br> thought I'd just drop a quick question: It doesn't seems like<br> Windows Sync is intended for syncing AD users to DS so that<br>
users defined on AD can be allowed to log into Linux machines.<br><br> I'm not sure what you mean by that. Do you mean because the <span class="st" id="st" name="st">posix</span><br> attributes are not synced, you cannot create a user in AD that is<br>
synced to Fedora DS and Linux machine login "just works" with no<br> additional work?<br><br> It is possible to get this working, however, through a series<br> of manual steps. So what is the intended purpose for Windows<br>
Sync, if I might ask, as it seems a lot simpler just to manage<br> everything directly from DS without syncing with AD?<br><br> I think most people use it to sync passwords, so that you can have<br> the same password on AD as Unix/Linux, and when you change the<br>
password on one side, that change is synced to the other side.<br><br> Regards,<br> Kenneth Holter<br><br> On 11/6/08, *Rich Megginson* <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a><br>
</span> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a><span class="q"><br>
<mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>>> wrote:<br><br> Erling Ringen Elvsrud wrote:<br><br>
On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson<br> <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>><br>
</span>
<div><span class="e" id="q_11d871eb39d7adfc_5"> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>>> wrote:<br>
[...]<br> That should work. But note that posix attributes<br> will not<br> sync to AD. And<br> even if you did manage to find a posix schema that<br>
worked<br> with AD, and added<br> the posix schema on the AD side, those attributes would<br> not be synced to<br> Fedora DS.<br> <br>
Thanks for your answer.<br><br> I start to wonder if Windows sync is worth the trouble.<br> At my<br> site we<br> will probably not implement password sync as the<br>
AD-side is very<br> restrictive about installing anything.<br><br> I hear this all the time - AD admins are very touchy about<br> installing anything, especially some piece of random open<br>
source<br> software that's going to intercept clear text passwords and<br> send<br> them who-knows-where<br><br> So what I get is basically a<br> skeleton that I have to populate with the posixUser<br>
attributes.<br><br> Another issue is groups in AD. I suppose those groups<br> will become<br> regular unix-groups on the directory server side,<br><br> Yes. But note - not posix groups (posixGroup) but plain groups<br>
(groupOfUniqueNames)<br><br> which might not<br> be enough for all policing needs (may need netgroups in<br> addition).<br> Sure.<br><br> We will probably have maximum a few hundred users in the<br>
directory, do<br> you think Windows-sync is worth the bother?<br> I suggest you take a look at Penrose<br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://docs.safehaus.org/display/PENROSE/Home" target="_blank">http://docs.safehaus.org/display/PENROSE/Home</a><br>
<br> Erling<br><br> --<br> Fedora-directory-users mailing list<br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
<mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>><br> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
<mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>>><br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
<br> --<br> Fedora-directory-users mailing list<br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
<mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>><br> <mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
<mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>>><br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
<br><br> ------------------------------------------------------------------------<br><br> --<br> Fedora-directory-users mailing list<br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
<mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>><br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
<br><br> --<br> Fedora-directory-users mailing list<br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
<mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a>><br> <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
<br><br>------------------------------------------------------------------------<br><br>--<br>Fedora-directory-users mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
<a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br> <br></span></div>
</blockquote>
<div><span class="e" id="q_11d871eb39d7adfc_7"><br>--<br>Fedora-directory-users mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com" target="_blank">Fedora-directory-users@redhat.com</a><br>
<a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br></span></div>
</blockquote></div><br>