Re: Windows sync: how do you populate the posixUser attributes?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kenneth Holter wrote:
>  
> Has anyone on the list set up such as scheme for adding posix 
> attributes to users synced from AD, and would like to comment on this 
> approach?
>  
> I'm thinking that maybe running a cron job (for example a couple of 
> times an hour) that searches for newly added users, then using 
> "ldapmodify" to add the required posix attributes, may be the way to go.
That might work.  There is some documentation about how to poll Active 
Directory for changes to entries:
http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx
and
http://support.microsoft.com/kb/891995

I have a python-ldap script that implements support for the DirSync 
control - http://github.com/richm/scripts/tree/master/dirsyncctrl.py
>  
>  
> Regards,
> Kenneth
>
>  
> On 11/10/08, *Rich Megginson* <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     Kenneth Holter wrote:
>
>         Thank you for your reply.
>          Yes you understood me correctly - I ment it doesn't seem like
>         Windows Sync is intended for Linux machine login (via SSH to
>         be precise) to "just work" with no additional work. I'm sorry
>         that I wasn't too clear on this.
>          Is it so that one usually has a AD/DS setup like this:
>
>            * users/passwords are synced from AD to DS
>            * the new users are exported to ldif file, added things such as
>              posix attributes, and reimported into DS
>            * users can now log into linux servers (via SSH) that are
>         properly
>              configured as LDAP clients
>
>         ? Just trying to get an understanding of how one usualy set up
>         AD and DS to work together.
>
>     I think that's how it usually goes.  Perhaps some other folks that
>     are doing this will chime in.
>
>     freeIPA will soon have support for automatic creation of AD user
>     accounts in IPA, including all of the posix and kerberos
>     attributes needed for OS login.  See freeipa.org <http://freeipa.org/>
>
>          
>          On 11/7/08, *Rich Megginson* <rmeggins at redhat.com
>         <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
>         <mailto:rmeggins at redhat.com>>> wrote:
>
>            Kenneth Holter wrote:
>
>                 I'm not very into fedora/redhat direcoty server (DS), but
>                thought I'd just drop a quick question: It doesn't
>         seems like
>                Windows Sync is intended for syncing  AD users to DS so
>         that
>                users defined on AD can be allowed to log into Linux
>         machines.
>
>            I'm not sure what you mean by that.  Do you mean because
>         the posix
>            attributes are not synced, you cannot create a user in AD
>         that is
>            synced to Fedora DS and Linux machine login "just works"
>         with no
>            additional work?
>
>                It is possible to get this working, however, through a
>         series
>                of manual steps. So what is the intended purpose for
>         Windows
>                Sync, if I might ask, as it seems a lot simpler just to
>         manage
>                everything directly from DS without syncing with AD?
>
>            I think most people use it to sync passwords, so that you
>         can have
>            the same password on AD as Unix/Linux, and when you change the
>            password on one side, that change is synced to the other side.
>
>                  Regards,
>                Kenneth Holter
>
>                 On 11/6/08, *Rich Megginson* <rmeggins at redhat.com
>         <mailto:rmeggins at redhat.com>
>                <mailto:rmeggins at redhat.com
>         <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
>         <mailto:rmeggins at redhat.com>
>                <mailto:rmeggins at redhat.com
>         <mailto:rmeggins at redhat.com>>>> wrote:
>
>                   Erling Ringen Elvsrud wrote:
>
>                       On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
>                       <rmeggins at redhat.com
>         <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
>         <mailto:rmeggins at redhat.com>>
>                <mailto:rmeggins at redhat.com
>         <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
>         <mailto:rmeggins at redhat.com>>>> wrote:
>                       [...]
>                                         That should work.  But note
>         that posix attributes
>                will not
>                           sync to AD.  And
>                           even if you did manage to find a posix
>         schema that
>                worked
>                           with AD, and added
>                           the posix schema on the AD side, those
>         attributes would
>                           not be synced to
>                           Fedora DS.
>                            
>                       Thanks for your answer.
>
>                       I start to wonder if Windows sync is worth the
>         trouble.
>                At my
>                       site we
>                       will probably not implement password sync as the
>                AD-side is very
>                       restrictive about installing anything.
>
>                   I hear this all the time - AD admins are very touchy
>         about
>                   installing anything, especially some piece of random
>         open
>                source
>                   software that's going to intercept clear text
>         passwords and
>                send
>                   them who-knows-where
>
>                       So what I get is basically a
>                       skeleton that I have to populate with the posixUser
>                attributes.
>
>                       Another issue is groups in AD. I suppose those
>         groups
>                will become
>                       regular unix-groups on the directory server side,
>
>                   Yes.  But note - not posix groups (posixGroup) but
>         plain groups
>                   (groupOfUniqueNames)
>
>                       which might not
>                       be enough for all policing needs (may need
>         netgroups in
>                addition).
>                                 Sure.
>
>                       We will probably have maximum a few hundred
>         users in the
>                       directory, do
>                       you think Windows-sync is worth the bother?
>                                 I suggest you take a look at Penrose
>                   http://docs.safehaus.org/display/PENROSE/Home
>
>                       Erling
>
>                       --
>                       Fedora-directory-users mailing list
>                       Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>
>                <mailto:Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>>
>                       <mailto:Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>
>                <mailto:Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>>>
>                            
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>                      
>                   --
>                   Fedora-directory-users mailing list
>                   Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>
>                <mailto:Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>>
>                   <mailto:Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>
>                <mailto:Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>>>
>                  
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>              
>          ------------------------------------------------------------------------
>
>                --
>                Fedora-directory-users mailing list
>                Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>
>                <mailto:Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>>
>              
>          https://www.redhat.com/mailman/listinfo/fedora-directory-users
>                
>
>            --
>            Fedora-directory-users mailing list
>            Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>
>            <mailto:Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>>
>            https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>         ------------------------------------------------------------------------
>
>         --
>         Fedora-directory-users mailing list
>         Fedora-directory-users at redhat.com
>         <mailto:Fedora-directory-users at redhat.com>
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>          
>
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users at redhat.com
>     <mailto:Fedora-directory-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20081119/aecf7331/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux