On 07/09/2009 09:35 AM, Prashanth Sundaram wrote: > Elaborating the Qs: > > Question1:Since we have an existing LDAP server(OpenLDAP) and users were > logging in to other dev, prod and testing servers using the passwords > managed by this OpenLDAP server. I believe the way the member servers > remember the user credentials is by assigning each user with a unique > security ID. (please correct me if I am wrong) If that gets lost in > migration, then my users' permissions will have to be re-assigned from > scratch (pain for sysadmins) > > So my question was, will the users be able to login to member servers after > migrating to FDS and still have same permissions and home directory folder > and everything looks the same without panicking about any missing > permissions or files. > I believe you are referring to the uidNumber and gidNumber attributes. File permissions use these numbers. These will remain the same when you export from OpenLDAP and import to 389. > Question2.1: What will happen to the passwords that are different on the FDS > and AD before the Sync. I do not want the passwords to be reset on FDS or AD > after 1st sync but only future passwords changes to be Synced to FDS and AD > and vice versa. > A clear-text password is required to sync since different hashing schemes are used on each side. Passwords will only be synchronized when they are changed, which is what you want. > Question2.1: I was working with windows before and noticed that the Windows > saves users with a unique id. If that is lost or recreated, the previous > permissions will no longer hold true for the user, even though the username > is same. Is it same in Unix environment? Like say I delete a user account > from FDS and a day after I re-create the ID, will the permissions stay > intact? > The uidNumber and gidNumber are used in *nix, not the actual uid. If you re-create a user using the same uidNumber and gidNumber, the permissions will still have the same net effect as they did with the old user entry. > > Thanks, > Prashanth > > > > https://www.redhat.com/archives/fedora-directory-users/2009-July/msg00013.ht > ml > > > > >> On 07/09/2009 07:19 AM, Prashanth Sundaram wrote: >> >>> Dear fellow Fedora DS users and experts, >>> >>> I am working on this new project where there is a two step process. We are >>> currently using a poorly managed OpenLDAP server for over 3 years and >>> planning to migrate to Fedora DS. >>> >>> Scenario: OPenLDAP=====Migrate all users and passwords===> Fedora DS >>> <----------PassSync------->Windows AD >>> >>> Question1: Is it possible to migrate current users (around 300users) from >>> OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like >>> everything looks same in users perspective. >>> >>> >> It depends on the schema that is used, but this should be a case of >> exporting from OpenLDAP and importing to 389. >> >>> Question2: Is is possible to create a password sync between FDS and AD for >>> all the above users. Yes, the username is same in both the directories. >>> >>> >> Yes, you can sync passwords. A number of other common attributes are >> synchronized as well. These attributes are listed in the Red Hat >> Directory Server Administrator's Guide. >> >>> Question2.1: The users are stored with different Security >>> IDs in windows environment than in OpenLDAP or FDS. Will that pose a >>> problem? >>> >>> >> I'm not sure what LDAP attribute you are referring to as the "Security >> ID", so I can't say if this will be a problem. >> >>> Question2.2: We have several domain controllers and Active >>> Directory server which run in sync. Since the PassSync can only run on one >>> server, will it be a problem that some passwords do not get sync because the >>> user changed it on XP which redirected to a another server (without >>> PassSync)? >>> >>> >> You need to run the PassSync service on all domain controllers. It's >> the synchronization agreement that you set up on the 389 side that can >> only point to one domain controller. >> >>> If any of you has gone thru these issues and anything more, please respond >>> to this thread or give me links. >>> >>> Thanks for your help and patience. >>> Prashanth >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> ------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> End of Fedora-directory-users Digest, Vol 50, Issue 8 >> ***************************************************** >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090709/5c16b79d/attachment.html
