[Freeipa-users] AD trust with POSIX attributes
Jakub Hrozek
jhrozek at redhat.com
Thu Jun 23 17:54:52 UTC 2016
On Thu, Jun 23, 2016 at 01:31:09PM +0200, Jan Karásek wrote:
> Hi,
>
> thank you for the answers. May be I am doing something wrong.
>
> 1. AD attributes - I am using the standard set of user's attributes in AD - I did not extend the AD schema (2012 R2)
> I am using set of attributes defined in RFS2307:
> uidNumber
> gidNumber
> gecos
> homeDirectory
> loginShell
> I am having troubles to find in documentation the names of attributes which IPA is able to read from AD . Could you please clarify if this is OK ?
> Could you please point me to some doc ...? I have read the Windows integration guide, but there was not enough details ...
This is not well documented, but it's easy enough to read from the code:
https://github.com/SSSD/sssd/blob/master/src/providers/ad/ad_opts.c
>
> 2. Do I need to fill in user's attributes values before the trust is set up ?
If you do, then IPA would detect the POSIX attributes during trust/range
creation.
>
> 3. If using Idviews in this case I would have to somehow copy information stored in AD into id views a keep them updated, which is huge overhead when you have hundreds or thousands users. That is why I need to read them directly from AD.
I don't think you need to, idviews are really meant more for migration
deployments. It seems like you want to use all POSIX attributes from AD,
so it would be easiest to let IPA detect them and use by default on all
hosts.
>
> 4. Is it possible to change the already established trust -without --range-type=ipa-ad-trust-posix to trust with POSIX range ? I mean without breaking the trust and reestablishing new one ?
You can remove the existing range and create a new one, but because
there is really no 'cost' to re-establishing the trust, I think it would
be easiest to just remove the trust and the range and create them again,
just to let the IPA tool do their work.
btw in SSSD we don't handle renumbering users well, so you'll need to
remove the caches on the clients as well.
More information about the Freeipa-users
mailing list