<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr"> <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>Ok,</p> <p><br> </p> <p>So with winsync I will have the 2000+ users in IPA.</p> <p><br> </p> <p>Within IPA I have several high risk/impact groups of servers and many low.</p> <p><br> </p> <p>For the low risk/impact servers and most desktops they can trust what AD tells them. For the high risk/impact servers/applications we do not want to reply on AD for any authorisation so permissions for these will be isolated from AD inside IPA. The idea is if we lose AD or IPA we should not lose both via any cross-linking.<br> </p> <p><br> </p> <div id="Signature"> <div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0"> <div style="font-family:Tahoma; font-size:13px"> <div style="font-family:Tahoma; font-size:13px"> <div style="font-family:Tahoma; font-size:13px"> <p>regards</p> <p>Steven<br> </p> </div> </div> </div> </div> </div> <div style="color: rgb(33, 33, 33);"> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>From:</b> freeipa-users-bounces@redhat.com <freeipa-users-bounces@redhat.com> on behalf of Dmitri Pal <dpal@redhat.com><br> <b>Sent:</b> Wednesday, 18 February 2015 11:51 a.m.<br> <b>To:</b> freeipa-users@redhat.com<br> <b>Subject:</b> Re: [Freeipa-users] question about Active Directory authentication</font> <div> </div> </div> <div> <div class="moz-cite-prefix">On 02/17/2015 05:21 PM, Steven Jones wrote:<br> </div> <blockquote type="cite"><style type="text/css" style="">  </style> <div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif"> <p style="margin-top: 0px; margin-bottom: 0px;"><br> </p> <div style="color:rgb(33,33,33)"> <div> <blockquote type="cite"> <div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif"> <p style="margin-top: 0px; margin-bottom: 0px;"><br> </p> <p style="margin-top: 0px; margin-bottom: 0px;">***maybe***</p> <p style="margin-top: 0px; margin-bottom: 0px;"><br> </p> <p style="margin-top: 0px; margin-bottom: 0px;">c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want.<br> </p> </div> </blockquote> <br> I am not sure this is the best solution really.<br> Trust and sync do not help each other. The fact that you have trust does not help you to provision users the way you describe.<br> <br> <blockquote type="cite"> <div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif"> </div> </blockquote> 8><------<br> <br> They achieve different things. How otherwise do I get 2000+ AD users into IPA? To me winsync allows automated provisioning of users into IPA via AD, this greatly reduces manual effort. <br> </div> </div> </div> </blockquote> <br> That I get. I do not understand how trust helps you in this case.<br> <br> <blockquote type="cite"> <div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif"> <div style="color:rgb(33,33,33)"> <div><br> <br> <br> </div> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </div> </div> </div> </body> </html>