[Freeipa-users] Question on AD to freeipa sync

Mon Oct 3 12:45:02 UTC 2011

Hi Simo, Stephen,

I agree that in larger organisations there might be a need to keep both systems separate. In our case (~300 users) AD works just fine - but 
true is that apart of the identity & password management we require nothing else.
That's said I appreciate your hard work and support even for the scenario below.

I also hope that you won't dislike me if I continue to bombard you with questions/problems regarding Linux/Windows interoperability. :-) 
Eventually, even Microsoft has its own bright moments - last time they surprised me when I contacted microsoft support reporting that their 
LDAP servers (AD controllers) responds to connections via SASL/MD5 auth the way which breaks RFC (I could not get Linux automounter to work 
with AD). They admitted the bug and unveiled a patch for it.

Ondrej

On 10/03/2011 02:07 PM, Simo Sorce wrote:
> Ondrej,
> it depends on your company structure, complexity and goals and
> flexibility.
>
> If you join your Linux machines to an AD directory then you are tied
> very strictly, administratively and functionally to that directory.
> Given Windows Administration and Linux Administration are very diverse
> skills set, and very few admins are capable of doing both with maximum
> proficiency on both system we think that splitting your support
> organization between the Windows admin and Linux admins is a good thing.
>
> Each group can concentrate on its own tasks w/o too much interference
> and less need for coordinating.
> Also FreeIPA is targeted at serving Linux machines and has integrated
> HBAC, Sudo support and other goodies that are simply missing in the AD
> side as they are alien concepts in the Windows world.
>
> Of course small organization were a single admin group controlling both
> platfroms may decide having just one directory is the way to go. You
> have the freedom to choose.
>
> Simo.
>
> On Mon, 2011-10-03 at 12:45 +0200, Ondrej Valousek wrote:
>> Well, I think these advantages won't outweigh the extra complexity of
>> having two systems for the same thing.
>> But it is up to everyone's decision...
>>
>> Ondrej
>>
>>> - the error messages of an AD might be strange to deal with for
>>> unix/linux admins
>>>
>>> - While I expect Microsoft to test AD patches with Windows clients
>>> I do not expect them to test linux/unix clients.  Resulting in possi-
>>> bility that patches of the AD break the communication to linux/unix
>>> clients.
>>>
>>> - Having important infrastructure like idendification/directory services
>>> running on OpenSource software is a good thing, apply all the OpenSource
>>> advantages here like beeing able to audit the code etc.
>>>
>>>
>>> Christian
>>
>> ______________________________________________________________________
>> The information contained in this e-mail and in any attachments is
>> confidential and is designated solely for the attention of the
>> intended recipient(s). If you are not an intended recipient, you must
>> not use, disclose, copy, distribute or retain this e-mail or any part
>> thereof. If you have received this e-mail in error, please notify the
>> sender by return e-mail and delete all copies of this e-mail from your
>> computer system(s). Please direct any additional queries to:
>> communications at s3group.com. Thank You. Silicon and Software Systems
>> Limited (S3 Group). Registered in Ireland no. 378073. Registered
>> Office: South County Business Park, Leopardstown, Dublin 18
>>
>> ______________________________________________________________________
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users

The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications at s3group.com.
Thank You.
Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111003/55208a02/attachment.htm>