[Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
Rich Megginson
rmeggins at redhat.com
Wed Feb 13 15:24:04 UTC 2013
On 02/13/2013 08:10 AM, Rob Crittenden wrote:
> Dag Wieers wrote:
>> Hi,
>>
>> We are investigating whether IPA is an acceptable solution for our
>> environment. One of the aspects that is not clear (from reading the
>> documentation and testing it without AD) is whether the synchronization
>> with AD can be limited to a subset.
>>
>>
>> Since we would like to only synchronize certain user-accounts
>> (conforming to a specific format) from AD unidirectionally, and we also
>> want to manage functional/technical accounts on IPA, we need to make
>> sure that we:
>>
>> - can filter the stuff we pull from AD
>
> You can set the subtree to use, I'm not sure if you can supply a
> filter to the winsync agreement. Rich?
No, this is an RFE
This trac report gives a pretty good idea of the limitations of 389 winsync:
https://fedorahosted.org/389/query?component=Sync+Service&status=accepted&status=assigned&status=new&status=reopened&col=id&col=summary&col=status&col=type&col=priority&col=milestone&col=component&order=priority&report=16
see especially
https://fedorahosted.org/389/ticket/178
https://fedorahosted.org/389/ticket/460
>
>> - can avoid the synchronisation to remove other accounts managed in
>> IPA
>
> I don't understand the question. You don't want the winsync agreement
> to affect IPA-specific users? That works.
>
>>
>> Can someone confirm that this is possible ? Is there any indepth
>> information on how this AD sycnhronization works (preferably about RHEL6
>> IPA) ?
>
> Not beyond what is in the 389-ds-base and IPA documentation. There
> might be some additional information on the 389-ds wiki.
What would you like to know?
>
>>
>> Also since we also require compatibility with Solaris, and roles (RBAC)
>> is currently used on Solaris, does IPA support RBAC on Solaris ? (We
>> noticed that RBAC mentioned in the IPA web interface only relates to IPA
>> management).
>
> No, IPA doesn't support RBAC on Solaris.
>
> rob
>
More information about the Freeipa-users
mailing list