Kenneth Holter wrote: > > I'm not very into fedora/redhat direcoty server (DS), but thought I'd > just drop a quick question: It doesn't seems like Windows Sync is > intended for syncing AD users to DS so that users defined on AD can > be allowed to log into Linux machines. I'm not sure what you mean by that. Do you mean because the posix attributes are not synced, you cannot create a user in AD that is synced to Fedora DS and Linux machine login "just works" with no additional work? > It is possible to get this working, however, through a series of > manual steps. So what is the intended purpose for Windows Sync, if I > might ask, as it seems a lot simpler just to manage everything > directly from DS without syncing with AD? I think most people use it to sync passwords, so that you can have the same password on AD as Unix/Linux, and when you change the password on one side, that change is synced to the other side. > > > Regards, > Kenneth Holter > > > On 11/6/08, *Rich Megginson* <rmeggins at redhat.com > <mailto:rmeggins at redhat.com>> wrote: > > Erling Ringen Elvsrud wrote: > > On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson > <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote: > [...] > > > That should work. But note that posix attributes will not > sync to AD. And > even if you did manage to find a posix schema that worked > with AD, and added > the posix schema on the AD side, those attributes would > not be synced to > Fedora DS. > > > > Thanks for your answer. > > I start to wonder if Windows sync is worth the trouble. At my > site we > will probably not implement password sync as the AD-side is very > restrictive about installing anything. > > I hear this all the time - AD admins are very touchy about > installing anything, especially some piece of random open source > software that's going to intercept clear text passwords and send > them who-knows-where > > So what I get is basically a > skeleton that I have to populate with the posixUser attributes. > > Another issue is groups in AD. I suppose those groups will become > regular unix-groups on the directory server side, > > Yes. But note - not posix groups (posixGroup) but plain groups > (groupOfUniqueNames) > > which might not > be enough for all policing needs (may need netgroups in addition). > > > Sure. > > We will probably have maximum a few hundred users in the > directory, do > you think Windows-sync is worth the bother? > > > I suggest you take a look at Penrose > http://docs.safehaus.org/display/PENROSE/Home > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
