[Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes?
Rich Megginson
rmeggins at redhat.com
Mon Nov 10 15:56:25 UTC 2008
Kenneth Holter wrote:
> Thank you for your reply.
>
> Yes you understood me correctly - I ment it doesn't seem like Windows
> Sync is intended for Linux machine login (via SSH to be precise) to
> "just work" with no additional work. I'm sorry that I wasn't too clear
> on this.
>
> Is it so that one usually has a AD/DS setup like this:
>
> * users/passwords are synced from AD to DS
> * the new users are exported to ldif file, added things such as
> posix attributes, and reimported into DS
> * users can now log into linux servers (via SSH) that are properly
> configured as LDAP clients
>
> ? Just trying to get an understanding of how one usualy set up AD and
> DS to work together.
I think that's how it usually goes. Perhaps some other folks that are
doing this will chime in.
freeIPA will soon have support for automatic creation of AD user
accounts in IPA, including all of the posix and kerberos attributes
needed for OS login. See freeipa.org
>
>
>
> On 11/7/08, *Rich Megginson* <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Kenneth Holter wrote:
>
> I'm not very into fedora/redhat direcoty server (DS), but
> thought I'd just drop a quick question: It doesn't seems like
> Windows Sync is intended for syncing AD users to DS so that
> users defined on AD can be allowed to log into Linux machines.
>
> I'm not sure what you mean by that. Do you mean because the posix
> attributes are not synced, you cannot create a user in AD that is
> synced to Fedora DS and Linux machine login "just works" with no
> additional work?
>
> It is possible to get this working, however, through a series
> of manual steps. So what is the intended purpose for Windows
> Sync, if I might ask, as it seems a lot simpler just to manage
> everything directly from DS without syncing with AD?
>
> I think most people use it to sync passwords, so that you can have
> the same password on AD as Unix/Linux, and when you change the
> password on one side, that change is synced to the other side.
>
> Regards,
> Kenneth Holter
>
> On 11/6/08, *Rich Megginson* <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> wrote:
>
> Erling Ringen Elvsrud wrote:
>
> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
> [...]
>
> That should work. But note that posix attributes
> will not
> sync to AD. And
> even if you did manage to find a posix schema that
> worked
> with AD, and added
> the posix schema on the AD side, those attributes would
> not be synced to
> Fedora DS.
>
>
> Thanks for your answer.
>
> I start to wonder if Windows sync is worth the trouble.
> At my
> site we
> will probably not implement password sync as the
> AD-side is very
> restrictive about installing anything.
>
> I hear this all the time - AD admins are very touchy about
> installing anything, especially some piece of random open
> source
> software that's going to intercept clear text passwords and
> send
> them who-knows-where
>
> So what I get is basically a
> skeleton that I have to populate with the posixUser
> attributes.
>
> Another issue is groups in AD. I suppose those groups
> will become
> regular unix-groups on the directory server side,
>
> Yes. But note - not posix groups (posixGroup) but plain groups
> (groupOfUniqueNames)
>
> which might not
> be enough for all policing needs (may need netgroups in
> addition).
>
> Sure.
>
> We will probably have maximum a few hundred users in the
> directory, do
> you think Windows-sync is worth the bother?
>
> I suggest you take a look at Penrose
> http://docs.safehaus.org/display/PENROSE/Home
>
> Erling
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>>
>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
More information about the Fedora-directory-users
mailing list