Kenneth Holter wrote:
I'm not very into fedora/redhat direcoty server (DS), but thought I'd
just drop a quick question: It doesn't seems like Windows Sync is
intended for syncing AD users to DS so that users defined on AD can
be allowed to log into Linux machines.
I'm not sure what you mean by that. Do you mean because the posix
attributes are not synced, you cannot create a user in AD that is synced
to Fedora DS and Linux machine login "just works" with no additional work?
It is possible to get this working, however, through a series of
manual steps. So what is the intended purpose for Windows Sync, if I
might ask, as it seems a lot simpler just to manage everything
directly from DS without syncing with AD?
I think most people use it to sync passwords, so that you can have the
same password on AD as Unix/Linux, and when you change the password on
one side, that change is synced to the other side.
Regards,
Kenneth Holter
On 11/6/08, *Rich Megginson* <rmeggins@xxxxxxxxxx
<mailto:rmeggins@xxxxxxxxxx>> wrote:
Erling Ringen Elvsrud wrote:
On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
<rmeggins@xxxxxxxxxx <mailto:rmeggins@xxxxxxxxxx>> wrote:
[...]
That should work. But note that posix attributes will not
sync to AD. And
even if you did manage to find a posix schema that worked
with AD, and added
the posix schema on the AD side, those attributes would
not be synced to
Fedora DS.
Thanks for your answer.
I start to wonder if Windows sync is worth the trouble. At my
site we
will probably not implement password sync as the AD-side is very
restrictive about installing anything.
I hear this all the time - AD admins are very touchy about
installing anything, especially some piece of random open source
software that's going to intercept clear text passwords and send
them who-knows-where
So what I get is basically a
skeleton that I have to populate with the posixUser attributes.
Another issue is groups in AD. I suppose those groups will become
regular unix-groups on the directory server side,
Yes. But note - not posix groups (posixGroup) but plain groups
(groupOfUniqueNames)
which might not
be enough for all policing needs (may need netgroups in addition).
Sure.
We will probably have maximum a few hundred users in the
directory, do
you think Windows-sync is worth the bother?
I suggest you take a look at Penrose
http://docs.safehaus.org/display/PENROSE/Home
Erling
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
<mailto:Fedora-directory-users@xxxxxxxxxx>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
<mailto:Fedora-directory-users@xxxxxxxxxx>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
