[Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
Rob Crittenden
rcritten at redhat.com
Wed Feb 13 15:10:38 UTC 2013
Dag Wieers wrote:
> Hi,
>
> We are investigating whether IPA is an acceptable solution for our
> environment. One of the aspects that is not clear (from reading the
> documentation and testing it without AD) is whether the synchronization
> with AD can be limited to a subset.
>
>
> Since we would like to only synchronize certain user-accounts
> (conforming to a specific format) from AD unidirectionally, and we also
> want to manage functional/technical accounts on IPA, we need to make
> sure that we:
>
> - can filter the stuff we pull from AD
You can set the subtree to use, I'm not sure if you can supply a filter
to the winsync agreement. Rich?
> - can avoid the synchronisation to remove other accounts managed in IPA
I don't understand the question. You don't want the winsync agreement to
affect IPA-specific users? That works.
>
> Can someone confirm that this is possible ? Is there any indepth
> information on how this AD sycnhronization works (preferably about RHEL6
> IPA) ?
Not beyond what is in the 389-ds-base and IPA documentation. There might
be some additional information on the 389-ds wiki.
>
> Also since we also require compatibility with Solaris, and roles (RBAC)
> is currently used on Solaris, does IPA support RBAC on Solaris ? (We
> noticed that RBAC mentioned in the IPA web interface only relates to IPA
> management).
No, IPA doesn't support RBAC on Solaris.
rob
More information about the Freeipa-users
mailing list