<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 02/15/2012 02:39 AM, David Juran wrote:
<blockquote
cite="mid:1329291557.3280.88.camel@localhost.localdomain"
type="cite">
<pre wrap="">On tis, 2012-02-14 at 17:50 -0500, Rob Crittenden wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">I don't think so, but can you provide some examples?
</pre>
</blockquote>
<pre wrap="">
If I understand the customers use-case correctly (and this is quite a
disclaimer) they have _most_ of their users in one sub-tree in AD but
also some users spread out all over the AD.
So I gather that I really should sync the entire AD. Or that I
_possibly_ could specify multiple sub-trees to sync, but still only on a
subtree level and not individual users to sync. Or that I really should
wait for the trust-to-AD feature to be ready... Is that correct?
</pre>
</blockquote>
<pre wrap="">
How would they identify which users they would want sync'd? Is this
something we'd be able to build a filter on (not that we actually
provide a configurable filter right now)?
</pre>
</blockquote>
<pre wrap="">
I'll check that, but won't all of this become moot once we can trust an
AD domain?
If this filtering would become a show-stopper I'll get back to you, but
if schedule permits, I'd rather wait for the trust feature rather then
develop a new feature for this.
</pre>
</blockquote>
<br>
If you are seriously considering trust solution - great. The only
advice I want to give is to think about how the final solution based
on trusts would look like. Then look at what you have and try to
develop procedures that would bring you from where you are to where
you want to be. There might be some "aha" moments there as trust
solution would work with latest SSSD and IPA but the older versions
of Fedora/RHEL or other platforms would not be able to participate
so you need to think how to deal with that scenario. <br>
<br>
Also if you come across some problems and/or ideas please do not
hesitate to share. May be there is something we can do tomake the
migration smoother but we need to understand the issues first.<br>
<br>
<blockquote
cite="mid:1329291557.3280.88.camel@localhost.localdomain"
type="cite">
<pre wrap=""></pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>