Thank you for your reply. Yes you understood me correctly - I ment it doesn't seem like Windows Sync is intended for Linux machine login (via SSH to be precise) to "just work" with no additional work. I'm sorry that I wasn't too clear on this. Is it so that one usually has a AD/DS setup like this: - users/passwords are synced from AD to DS - the new users are exported to ldif file, added things such as posix attributes, and reimported into DS - users can now log into linux servers (via SSH) that are properly configured as LDAP clients ? Just trying to get an understanding of how one usualy set up AD and DS to work together. On 11/7/08, Rich Megginson <rmeggins at redhat.com> wrote: > > Kenneth Holter wrote: > >> I'm not very into fedora/redhat direcoty server (DS), but thought I'd >> just drop a quick question: It doesn't seems like Windows Sync is intended >> for syncing AD users to DS so that users defined on AD can be allowed to >> log into Linux machines. >> > I'm not sure what you mean by that. Do you mean because the posix > attributes are not synced, you cannot create a user in AD that is synced to > Fedora DS and Linux machine login "just works" with no additional work? > >> It is possible to get this working, however, through a series of manual >> steps. So what is the intended purpose for Windows Sync, if I might ask, as >> it seems a lot simpler just to manage everything directly from DS without >> syncing with AD? >> > I think most people use it to sync passwords, so that you can have the same > password on AD as Unix/Linux, and when you change the password on one side, > that change is synced to the other side. > >> Regards, >> Kenneth Holter >> >> On 11/6/08, *Rich Megginson* <rmeggins at redhat.com <mailto: >> rmeggins at redhat.com>> wrote: >> >> Erling Ringen Elvsrud wrote: >> >> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson >> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote: >> [...] >> >> That should work. But note that posix attributes will not >> sync to AD. And >> even if you did manage to find a posix schema that worked >> with AD, and added >> the posix schema on the AD side, those attributes would >> not be synced to >> Fedora DS. >> >> >> Thanks for your answer. >> >> I start to wonder if Windows sync is worth the trouble. At my >> site we >> will probably not implement password sync as the AD-side is very >> restrictive about installing anything. >> >> I hear this all the time - AD admins are very touchy about >> installing anything, especially some piece of random open source >> software that's going to intercept clear text passwords and send >> them who-knows-where >> >> So what I get is basically a >> skeleton that I have to populate with the posixUser attributes. >> >> Another issue is groups in AD. I suppose those groups will become >> regular unix-groups on the directory server side, >> >> Yes. But note - not posix groups (posixGroup) but plain groups >> (groupOfUniqueNames) >> >> which might not >> be enough for all policing needs (may need netgroups in addition). >> >> Sure. >> >> We will probably have maximum a few hundred users in the >> directory, do >> you think Windows-sync is worth the bother? >> >> I suggest you take a look at Penrose >> http://docs.safehaus.org/display/PENROSE/Home >> >> Erling >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> <mailto:Fedora-directory-users at redhat.com> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> <mailto:Fedora-directory-users at redhat.com> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20081110/4d5d5ea8/attachment.html
