[389-users] ADS <==> FedoraDS <==> Linux/Unix Clients?

Rich Megginson rmeggins at redhat.com
Mon Jan 4 17:35:13 UTC 2010 

Ajeet S Raina wrote:
> Hello Kenneho,
>  
> Thanks for the wonderful explanation. It did helped me to come up with 
> something more informative.
> I was going through Windows Sync and want to know about these points:
>  
> 1.What all changes has to be done on Active Directory Server? Just to 
> check risk and feasibility factor.
You have to install and configure the 389-PassSync .msi for your 
platform according to the documentation
> 2. Say, I follow Red Hat Directory Server Guide. Do our 389 do contain 
> every little stuff which RHDS has.Please clarify.
> What difference these servers have?
Nothing substantial in this area
> 3.  Can I follow the complete RHDS Docs to set my Fedora DS to work 
> with ADS?
Yes.
> What section may be missing?
Just be sure to use "389" instead of "Red Hat" where program folders 
etc. are mentioned
> 4. What are the overall steps (just in points) to setup Fedora DS sync 
> with ADS with Few ADS users synched to have permission to access the 
> Linux Machine.
>  
> I do got 2 links:
> 1. Restrictively allowing only ISST Sysadmins on Fedora 
> DS(synchronized with ADS) to access the certain resources(Linux 
> Machine) : *http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf*
>  
> and,
>  
>  
> 2.Check ADS <=> Fedora DS Synchronization for User Creation/Deletion:
> *http://www.redhat.com/docs/manuals/d...dows_Sync.html* 
> <https://webmail.sapient.com/owa/redir.aspx?C=d92d00f4b42f4eafb0708d37c0521d8e&URL=http%3a%2f%2fwww.redhat.com%2fdocs%2fmanuals%2fd...dows_Sync.html> 
>
>  
> Do yu think they are enough for me to setup as my requirements.
>  
> Please comment.
> Do help me with detail docs if yu have any so that I can help myself 
> with the setuo.
>  
> With Regards,
> Ajeet
> On Mon, Jan 4, 2010 at 7:10 PM, Kenneth Holter <kenneho.ndu at gmail.com 
> <mailto:kenneho.ndu at gmail.com>> wrote:
>
>     Well, I don't have any documentation on the posix/netgroup type of
>     scripts. But I can try to outline our approach:
>      
>     In the AD LDAP tree, we have created an organizational unit (OU)
>     named "linux" (or something like that). Under this OU we have two
>     OUs, named "users" and "groups". Under these OU's we've moved all
>     users and groups that are to be synced over to our Red Hat
>     Directory Server (RHDS, which is basically the same as FDS).
>      
>     On the RHDS, we've done this: Using the Windows Sync
>     (http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html)
>     plugin, we've defined that all entries under the "linux" OU on AD
>     should be synced over to RHDS. Windows Sync basically copies those
>     entries from AD.
>     In addition, we have a few script running on the RHDS server. On
>     script adds posix attributes to users that have been synced over
>     from AD to RHDS. Another script populates NIS netgroups based on
>     AD groups. Let me explain: Say we have a AD group called
>     "linux-admins", and that it's placed under the "groups" OU (as
>     explained above) as is thus synced over to the RHDS. On the RHDS
>     side, we have a similar NIS netgroup called for example
>     "netgroup-linux-admins". Our script reads the
>     "linux-admins" membership info, and makes sure that the
>     "netgroup-linux-admins" is updated with the same membership info.
>     This way we can rely on the AD admins to manage group memeberships
>     on the RHDS side.
>     The NIS netgroup information can the be used for defining which
>     groups of users can access which groups of servers (note that
>     we're going to put server names into netgroup too), by configuring
>     PAM to allow access based on netgroup membership. For example, we
>     can define that users that are members of "netgroup-linux-admins"
>     will have access to all servers. Furhtermore, we can use the same
>     netgroups to define sudo privileges for groups of users. For the
>     "netgroup-linux-admins", they will typically be given full sudo
>     access on all servers.
>      
>     I hope this made some sense. Let me know if you want me to
>     elaborate on some of the points.
>      
>     Btw, the most relevant info I've found on setting this thing up is
>     the RHDS manuals (http://www.redhat.com/docs/manuals/dir-server/),
>     and the 389 web site.
>      
>     - Kenneth
>      
>
>      
>     On Mon, Jan 4, 2010 at 12:40 PM, Ajeet S Raina
>     <ajeetraina at gmail.com <mailto:ajeetraina at gmail.com>> wrote:
>
>         Hello Kenneho,
>          
>         Thanks for the quick response. I appreciate your helpful words
>         on these queries.
>         I would be thankful if yu can provide me with the tutorials or
>         documents or links which you followed for the same setup.
>          
>         May I know what should be approach for syncing ADS to Fedora DS?
>         Any step by step approach for the sa
>
>         On Mon, Jan 4, 2010 at 2:37 PM, Kenneth Holter
>         <kenneho.ndu at gmail.com <mailto:kenneho.ndu at gmail.com>> wrote:
>
>             Hi.
>              
>              
>             We're currently working on a similar setup.
>              
>             Regarding your first question: Using the Windows Sync
>             plugin on the FDS you sync specific users from AD over to
>             FDS. Just move your sysadmin users to an LDAP organization
>             unit (OU), and sync that over to FDS. Next, you'll need to
>             add posix attributes (user ID, group ID, home directory,
>             etc) to these users on the FDS side. You can create simple
>             scripts for doing this. In our setup, we're going to use
>             groups defined on the AD side as basis for NIS netgroups
>             on linux, so that we can control access to and sudo
>             privileges on linux servers based on these groups. This
>             adds to the complexity, but lets us manage users and
>             access from the AD side.
>              
>             When you delete a user on the AD side, it will get deleted
>             on the FDS side too.
>              
>              
>             Regards,
>             Kenneth Holter
>
>              
>             On Tue, Dec 29, 2009 at 5:41 PM, Ajeet S Raina
>             <ajeetraina at gmail.com <mailto:ajeetraina at gmail.com>> wrote:
>
>
>                 I have a certain query regarding the following structure:
>                 Code:
>
>                     Active Directory Server
>                     ||
>                     ||
>                     Fedora Directory Server <=> Client(Linux | Fedora | Ubuntu | Solaris | HP)
>
>                 Let me explain you what I want:
>
>                 1.There is a company Active Directory Server under
>                 domain intinfra.com.As <http://intinfra.com.as/> of
>                 now there are limited Windows Desktop Machine under
>                 that domain.I have few Linux / Unix Machines which I
>                 want to authenticate through ADS(which are presently
>                 not under ADS).Why? Becoz' everytime I need to delete
>                 the users whenver they leave the project.Thats Cumbersome.
>
>                 So what I want is Setup Fedora DS(Wonder if We can do
>                 that without Fedora DS).Now I can ads join to Fedora
>                 DS(I have administrative privileges for ADS).What I
>                 really want to know is:
>
>                 If I join Fedora DS to ADS then all employee can login
>                 to the Linux Machine through their login credentials.
>                 I dont want that to happen.We have 3000 employee in
>                 intinfra Domain but We are only 30 Admins. I only want
>                 those 30-40 admins to login restrictly.Is it possible
>                 to restrict at FedoraDS level.
>
>                 2.Say, I joined ADS and fedora DS and say after 30
>                 days one of System Admin left the company.So his name
>                 will be removed from ADS. Is it possible that ADS and
>                 Fedora DS are synchronized in such a way that a user
>                 whose name gets deleted in ADS, gets deleted too from
>                 fedora .Do fedora DS has the capability to synchronize
>                 to ADS everytime.
>
>                 Pls Suggest. 
>
>
>
>
>                 --
>                 389 users mailing list
>                 389-users at redhat.com <mailto:389-users at redhat.com>
>                 https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>             --
>             389 users mailing list
>             389-users at redhat.com <mailto:389-users at redhat.com>
>             https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>
>         -- 
>
>
>         ”It is not possible to rescue everyone who is caught in the
>         Windows quicksand
>                   --Make sure you are on solid Linux ground before
>         trying.”
>
>
>
>
>     --
>     389 users mailing list
>     389-users at redhat.com <mailto:389-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>
> -- 
>
>
> ”It is not possible to rescue everyone who is caught in the Windows 
> quicksand
>           --Make sure you are on solid Linux ground before trying.”
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the Fedora-directory-users mailing list