[Freeipa-interest] AD and freeIPA synch

Karl Wirth kwirth at redhat.com
Fri Jun 6 19:32:29 UTC 2008 

Hello,

Many organizations have given feedback that they want to make sure that
freeIPA can synch with AD.  We want to provide more than what is
available in the winsynch that is in fedora directory server.  Here are
my thoughts on what the features should be in this area.  I would love
your feedback.  Does this sound right?  What is missing?  Longerterm, we
hope to enable kerberos trust between AD and IPA but even then some
folks will want synch as well.  Thoughts?

AD and freeIPA synch requirements ---proposal for your review and feedback

1. Keep password in AD same as PW in IPA
- If changed in AD, bring change over to IPA
- If changed in IPA, bring change over to AD

2. Synch userid and attributes
- Configurable which attributes
- If full posix available then make this available
- Configurable translation between attributes (i.e transform data such
as middle name length or whatever)
- Configurable mapping between attribute names
- Generate attributes if not present in AD with flexible rules for doing
this and vice versa

3. Which subsets of users to keep in synch
- Make it possible to define which AD/IPA users should be kept in synch

4. Topology
- Password synch is only supported with 1 AD domain.  Not multiple.
- Identity/attribute synch is supported across multiple domains.  
---If the same user is in multiple domains, there is a problem ---- Not
supported
---If the same userid in different domains but different user, resolve
- Need to support PW change on any IPA server
- Need to support PW change on an AD server

5. Failover
- Support for failover AD DC
- Support for failover IPA

6. Install and Packaging
- Separate install of synch tool
- Preconfigured synch tool with easy to point to IPA and AD
- Predefined
- Requires passsynch on domain controllers
- Proposal 1: Requires password to only change on AD.  Probably not ok.
- Proposal 2: Make changes to IPA to hand PW to AD

7. Groups.  
Allow four options that an administrator can choose between:
- One option: Synchronize all users from AD into one IPA group
- Second option: Synchronize all users according to filter defined in #3
above and bring along all of their groups and keep their memberships in
them.
- Third option:  No group synch at all
- Fourth option:  No support for nested groups

Best regards,
Karl

More information about the Freeipa-interest mailing list