[Freeipa-users] nisNet groups in AD
David Juran
djuran at redhat.com
Tue Nov 22 13:45:12 UTC 2011
On Mon, 2011-11-21 at 11:55 -0500, Dmitri Pal wrote:
> On 11/21/2011 11:48 AM, David Juran wrote:
> > Hello.
> >
> > I have a customer who is using nisNetgroups in microsoft Active
> > Directory to keep track of which users are allowed to access which
> > services. I've understood that IPA today does not sync this information
> > from AD, is this correct?
> >
> > What about the future, once we can have trust towards an AD? Would that
> > allow us to use the nisNet groups in AD for HBAC and sudo?
>
> Trusts would not help with netgroups.
> I wonder if it is something that can be done via a client
> configuration.
>
> But also why not move netgroups into IPA? Dumping the data into LDIF,
> creating a script to convert it to IPA internal netgroups format and
> loading it is not a huge effort.
That is certainly the approach I will recommend but I suspect part of
the problem is that the internal tool that the customer uses for the
approval process (i.e. the process where someone approves that user foo
should get added to group bar) knows how to communicate with AD but not
how to talk to IPA. But if it comes to this, I guess it would be
possible to do a regular sync, i.e. dump the LDIF from AD and import it
into IPA on a regular basis.
In any case, thank you for the answer.
--
David Juran
Sr. Consultant
Red Hat
+46-725-345801
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111122/c5ee3011/attachment.sig>
More information about the Freeipa-users
mailing list