[Freeipa-users] Question on AD to freeipa sync
Steven Jones
Steven.Jones at vuw.ac.nz
Mon Oct 3 20:51:44 UTC 2011
Hi,
Just how many Linux desktops and servers do you have? sure with say 5 or so linux and if you dont care about security its easy to AD ie access no authorisation...however I cant see any method to manage large quantities of Linux via AD without expensive addon tools.
I have 200+servers and 250 linux desktops and growing.....cant manage those with local access with 1.5 admins....you also cant manage them with AD unless you buy centrify/likewise or quest software or similar and thats very expensive and a pain in the ass.
Unless Ive missed something?
Now looking a IPA its management interface is simple, usable, yet very powerful....AD for Linux and its brain dead simple, and i have whats known as "useradmins" they ad users, they are not IT capable....
So it takes us in excess of a day to add an admin to the servers, 5 mins in IPA....the time saving is substantial. We have disparate groups so a single lookup for an AD group isnt going to do it.
"Just wondering why would anyone want to sync freeIPA and AD"
As per usual ppl cant think of real life situations where such things are necessary, well its known as life its sometimes complex and messy. I work in a predominantly Windows environment. So I have windows architects, windows security ppl, windows derived managers, windows derived directors and (mostly) windows admins. They simply dont understand linux/unix, dont care, and would like it removed to make their life "simple" and cheaper. Also I manage 30% of our environment and the most mission critical on Linux and it rarely falls over. The clients love it, and I do it with 1.5 linux staff v 9 windows admins. Clients now ask for linux servers from choice....Im getting under windows ppls skin.
It makes my day.
;]
So I need to work in such a framework/constraint and have a workable and no cost solution. My need to sync with AD is becasue we provision to AD, so if I can pull a lot of data across it means less resistance from the Windows trained identity ppl, the security ppl and the managers. Tis simple, they will happily spend $50k on a AD review and $500k on an identity system that hasnt worked in 3 years but wont spend $5k on linux LDAP.....so I have to fight battles with little....makes winning sweeter....
:)
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Ondrej Valousek [ondrejv at s3group.cz]
Sent: Monday, 3 October 2011 9:03 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Question on AD to freeipa sync
Just wondering why would anyone want to sync freeIPA and AD - both can serve Linux systems fine, so if I already have AD, I no longer require IPA.
My 2 cents...
Ondrej
On 09/29/2011 10:35 PM, Steven Jones wrote:
Hi,
In the documentation it says that new accounts in AD are syncd over to freeIPA, so IPA sets the UID as it "arrives"?
What happens if the user is an existing one and has a UID they want to retain, does that transfer over and get used?
Also how do you set permissions and groups? does the new user just go into a default group and then you login to freeIPA and set them up? or can you put the GIDs into AD and they get transferred and the user put into the "right" groups" automagically?
Looks like I can set this sort of thing "how I want" in the sync agreement?
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
________________________________
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18
________________________________
More information about the Freeipa-users
mailing list