Kenneth Holter wrote: > > Has anyone on the list set up such as scheme for adding posix > attributes to users synced from AD, and would like to comment on this > approach? > > I'm thinking that maybe running a cron job (for example a couple of > times an hour) that searches for newly added users, then using > "ldapmodify" to add the required posix attributes, may be the way to go. That might work. There is some documentation about how to poll Active Directory for changes to entries: http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and http://support.microsoft.com/kb/891995 I have a python-ldap script that implements support for the DirSync control - http://github.com/richm/scripts/tree/master/dirsyncctrl.py > > > Regards, > Kenneth > > > On 11/10/08, *Rich Megginson* <rmeggins at redhat.com > <mailto:rmeggins at redhat.com>> wrote: > > Kenneth Holter wrote: > > Thank you for your reply. > Yes you understood me correctly - I ment it doesn't seem like > Windows Sync is intended for Linux machine login (via SSH to > be precise) to "just work" with no additional work. I'm sorry > that I wasn't too clear on this. > Is it so that one usually has a AD/DS setup like this: > > * users/passwords are synced from AD to DS > * the new users are exported to ldif file, added things such as > posix attributes, and reimported into DS > * users can now log into linux servers (via SSH) that are > properly > configured as LDAP clients > > ? Just trying to get an understanding of how one usualy set up > AD and DS to work together. > > I think that's how it usually goes. Perhaps some other folks that > are doing this will chime in. > > freeIPA will soon have support for automatic creation of AD user > accounts in IPA, including all of the posix and kerberos > attributes needed for OS login. See freeipa.org <http://freeipa.org/> > > > On 11/7/08, *Rich Megginson* <rmeggins at redhat.com > <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com > <mailto:rmeggins at redhat.com>>> wrote: > > Kenneth Holter wrote: > > I'm not very into fedora/redhat direcoty server (DS), but > thought I'd just drop a quick question: It doesn't > seems like > Windows Sync is intended for syncing AD users to DS so > that > users defined on AD can be allowed to log into Linux > machines. > > I'm not sure what you mean by that. Do you mean because > the posix > attributes are not synced, you cannot create a user in AD > that is > synced to Fedora DS and Linux machine login "just works" > with no > additional work? > > It is possible to get this working, however, through a > series > of manual steps. So what is the intended purpose for > Windows > Sync, if I might ask, as it seems a lot simpler just to > manage > everything directly from DS without syncing with AD? > > I think most people use it to sync passwords, so that you > can have > the same password on AD as Unix/Linux, and when you change the > password on one side, that change is synced to the other side. > > Regards, > Kenneth Holter > > On 11/6/08, *Rich Megginson* <rmeggins at redhat.com > <mailto:rmeggins at redhat.com> > <mailto:rmeggins at redhat.com > <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com > <mailto:rmeggins at redhat.com> > <mailto:rmeggins at redhat.com > <mailto:rmeggins at redhat.com>>>> wrote: > > Erling Ringen Elvsrud wrote: > > On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson > <rmeggins at redhat.com > <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com > <mailto:rmeggins at redhat.com>> > <mailto:rmeggins at redhat.com > <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com > <mailto:rmeggins at redhat.com>>>> wrote: > [...] > That should work. But note > that posix attributes > will not > sync to AD. And > even if you did manage to find a posix > schema that > worked > with AD, and added > the posix schema on the AD side, those > attributes would > not be synced to > Fedora DS. > > Thanks for your answer. > > I start to wonder if Windows sync is worth the > trouble. > At my > site we > will probably not implement password sync as the > AD-side is very > restrictive about installing anything. > > I hear this all the time - AD admins are very touchy > about > installing anything, especially some piece of random > open > source > software that's going to intercept clear text > passwords and > send > them who-knows-where > > So what I get is basically a > skeleton that I have to populate with the posixUser > attributes. > > Another issue is groups in AD. I suppose those > groups > will become > regular unix-groups on the directory server side, > > Yes. But note - not posix groups (posixGroup) but > plain groups > (groupOfUniqueNames) > > which might not > be enough for all policing needs (may need > netgroups in > addition). > Sure. > > We will probably have maximum a few hundred > users in the > directory, do > you think Windows-sync is worth the bother? > I suggest you take a look at Penrose > http://docs.safehaus.org/display/PENROSE/Home > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > <mailto:Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com>> > <mailto:Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > <mailto:Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com>>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > <mailto:Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com>> > <mailto:Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > <mailto:Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com>>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > <mailto:Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > <mailto:Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20081119/aecf7331/attachment.bin
