Ajeet S Raina wrote: > Hello Kenneho, > > Thanks for the wonderful explanation. It did helped me to come up with > something more informative. > I was going through Windows Sync and want to know about these points: > > 1.What all changes has to be done on Active Directory Server? Just to > check risk and feasibility factor. You have to install and configure the 389-PassSync .msi for your platform according to the documentation > 2. Say, I follow Red Hat Directory Server Guide. Do our 389 do contain > every little stuff which RHDS has.Please clarify. > What difference these servers have? Nothing substantial in this area > 3. Can I follow the complete RHDS Docs to set my Fedora DS to work > with ADS? Yes. > What section may be missing? Just be sure to use "389" instead of "Red Hat" where program folders etc. are mentioned > 4. What are the overall steps (just in points) to setup Fedora DS sync > with ADS with Few ADS users synched to have permission to access the > Linux Machine. > > I do got 2 links: > 1. Restrictively allowing only ISST Sysadmins on Fedora > DS(synchronized with ADS) to access the certain resources(Linux > Machine) : *http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf* > > and, > > > 2.Check ADS <=> Fedora DS Synchronization for User Creation/Deletion: > *http://www.redhat.com/docs/manuals/d...dows_Sync.html* > <https://webmail.sapient.com/owa/redir.aspx?C=d92d00f4b42f4eafb0708d37c0521d8e&URL=http%3a%2f%2fwww.redhat.com%2fdocs%2fmanuals%2fd...dows_Sync.html> > > > Do yu think they are enough for me to setup as my requirements. > > Please comment. > Do help me with detail docs if yu have any so that I can help myself > with the setuo. > > With Regards, > Ajeet > On Mon, Jan 4, 2010 at 7:10 PM, Kenneth Holter <kenneho.ndu at gmail.com > <mailto:kenneho.ndu at gmail.com>> wrote: > > Well, I don't have any documentation on the posix/netgroup type of > scripts. But I can try to outline our approach: > > In the AD LDAP tree, we have created an organizational unit (OU) > named "linux" (or something like that). Under this OU we have two > OUs, named "users" and "groups". Under these OU's we've moved all > users and groups that are to be synced over to our Red Hat > Directory Server (RHDS, which is basically the same as FDS). > > On the RHDS, we've done this: Using the Windows Sync > (http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html) > plugin, we've defined that all entries under the "linux" OU on AD > should be synced over to RHDS. Windows Sync basically copies those > entries from AD. > In addition, we have a few script running on the RHDS server. On > script adds posix attributes to users that have been synced over > from AD to RHDS. Another script populates NIS netgroups based on > AD groups. Let me explain: Say we have a AD group called > "linux-admins", and that it's placed under the "groups" OU (as > explained above) as is thus synced over to the RHDS. On the RHDS > side, we have a similar NIS netgroup called for example > "netgroup-linux-admins". Our script reads the > "linux-admins" membership info, and makes sure that the > "netgroup-linux-admins" is updated with the same membership info. > This way we can rely on the AD admins to manage group memeberships > on the RHDS side. > The NIS netgroup information can the be used for defining which > groups of users can access which groups of servers (note that > we're going to put server names into netgroup too), by configuring > PAM to allow access based on netgroup membership. For example, we > can define that users that are members of "netgroup-linux-admins" > will have access to all servers. Furhtermore, we can use the same > netgroups to define sudo privileges for groups of users. For the > "netgroup-linux-admins", they will typically be given full sudo > access on all servers. > > I hope this made some sense. Let me know if you want me to > elaborate on some of the points. > > Btw, the most relevant info I've found on setting this thing up is > the RHDS manuals (http://www.redhat.com/docs/manuals/dir-server/), > and the 389 web site. > > - Kenneth > > > > On Mon, Jan 4, 2010 at 12:40 PM, Ajeet S Raina > <ajeetraina at gmail.com <mailto:ajeetraina at gmail.com>> wrote: > > Hello Kenneho, > > Thanks for the quick response. I appreciate your helpful words > on these queries. > I would be thankful if yu can provide me with the tutorials or > documents or links which you followed for the same setup. > > May I know what should be approach for syncing ADS to Fedora DS? > Any step by step approach for the sa > > On Mon, Jan 4, 2010 at 2:37 PM, Kenneth Holter > <kenneho.ndu at gmail.com <mailto:kenneho.ndu at gmail.com>> wrote: > > Hi. > > > We're currently working on a similar setup. > > Regarding your first question: Using the Windows Sync > plugin on the FDS you sync specific users from AD over to > FDS. Just move your sysadmin users to an LDAP organization > unit (OU), and sync that over to FDS. Next, you'll need to > add posix attributes (user ID, group ID, home directory, > etc) to these users on the FDS side. You can create simple > scripts for doing this. In our setup, we're going to use > groups defined on the AD side as basis for NIS netgroups > on linux, so that we can control access to and sudo > privileges on linux servers based on these groups. This > adds to the complexity, but lets us manage users and > access from the AD side. > > When you delete a user on the AD side, it will get deleted > on the FDS side too. > > > Regards, > Kenneth Holter > > > On Tue, Dec 29, 2009 at 5:41 PM, Ajeet S Raina > <ajeetraina at gmail.com <mailto:ajeetraina at gmail.com>> wrote: > > > I have a certain query regarding the following structure: > Code: > > Active Directory Server > || > || > Fedora Directory Server <=> Client(Linux | Fedora | Ubuntu | Solaris | HP) > > Let me explain you what I want: > > 1.There is a company Active Directory Server under > domain intinfra.com.As <http://intinfra.com.as/> of > now there are limited Windows Desktop Machine under > that domain.I have few Linux / Unix Machines which I > want to authenticate through ADS(which are presently > not under ADS).Why? Becoz' everytime I need to delete > the users whenver they leave the project.Thats Cumbersome. > > So what I want is Setup Fedora DS(Wonder if We can do > that without Fedora DS).Now I can ads join to Fedora > DS(I have administrative privileges for ADS).What I > really want to know is: > > If I join Fedora DS to ADS then all employee can login > to the Linux Machine through their login credentials. > I dont want that to happen.We have 3000 employee in > intinfra Domain but We are only 30 Admins. I only want > those 30-40 admins to login restrictly.Is it possible > to restrict at FedoraDS level. > > 2.Say, I joined ADS and fedora DS and say after 30 > days one of System Admin left the company.So his name > will be removed from ADS. Is it possible that ADS and > Fedora DS are synchronized in such a way that a user > whose name gets deleted in ADS, gets deleted too from > fedora .Do fedora DS has the capability to synchronize > to ADS everytime. > > Pls Suggest. > > > > > -- > 389 users mailing list > 389-users at redhat.com <mailto:389-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com <mailto:389-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > > > ?It is not possible to rescue everyone who is caught in the > Windows quicksand > --Make sure you are on solid Linux ground before > trying.? > > > > > -- > 389 users mailing list > 389-users at redhat.com <mailto:389-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > > > ?It is not possible to rescue everyone who is caught in the Windows > quicksand > --Make sure you are on solid Linux ground before trying.? > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
