Has anyone on the list set up such as scheme for adding posix
attributes to users synced from AD, and would like to comment on this
approach?
I'm thinking that maybe running a cron job (for example a couple of
times an hour) that searches for newly added users, then using
"ldapmodify" to add the required posix attributes, may be the way to go.
That might work. There is some documentation about how to poll Active
Directory for changes to entries:
I have a python-ldap script that implements support for the DirSync
control -
Regards,
Kenneth
On 11/10/08, *Rich Megginson* <rmeggins(a)redhat.com
<mailto:rmeggins@redhat.com>> wrote:
Kenneth Holter wrote:
Thank you for your reply.
Yes you understood me correctly - I ment it doesn't seem like
Windows Sync is intended for Linux machine login (via SSH to
be precise) to "just work" with no additional work. I'm sorry
that I wasn't too clear on this.
Is it so that one usually has a AD/DS setup like this:
* users/passwords are synced from AD to DS
* the new users are exported to ldif file, added things such as
posix attributes, and reimported into DS
* users can now log into linux servers (via SSH) that are
properly
configured as LDAP clients
? Just trying to get an understanding of how one usualy set up
AD and DS to work together.
I think that's how it usually goes. Perhaps some other folks that
are doing this will chime in.
freeIPA will soon have support for automatic creation of AD user
accounts in IPA, including all of the posix and kerberos
attributes needed for OS login. See
freeipa.org <
http://freeipa.org/>
On 11/7/08, *Rich Megginson* <rmeggins(a)redhat.com
<mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com>>> wrote:
Kenneth Holter wrote:
I'm not very into fedora/redhat direcoty server (DS), but
thought I'd just drop a quick question: It doesn't
seems like
Windows Sync is intended for syncing AD users to DS so
that
users defined on AD can be allowed to log into Linux
machines.
I'm not sure what you mean by that. Do you mean because
the posix
attributes are not synced, you cannot create a user in AD
that is
synced to Fedora DS and Linux machine login "just works"
with no
additional work?
It is possible to get this working, however, through a
series
of manual steps. So what is the intended purpose for
Windows
Sync, if I might ask, as it seems a lot simpler just to
manage
everything directly from DS without syncing with AD?
I think most people use it to sync passwords, so that you
can have
the same password on AD as Unix/Linux, and when you change the
password on one side, that change is synced to the other side.
Regards,
Kenneth Holter
On 11/6/08, *Rich Megginson* <rmeggins(a)redhat.com
<mailto:rmeggins@redhat.com>
<mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com>> <mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com>
<mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com>>>> wrote:
Erling Ringen Elvsrud wrote:
On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
<rmeggins(a)redhat.com
<mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com>>
<mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com>>>> wrote:
[...]
That should work. But note
that posix attributes
will not
sync to AD. And
even if you did manage to find a posix
schema that
worked
with AD, and added
the posix schema on the AD side, those
attributes would
not be synced to
Fedora DS.
Thanks for your answer.
I start to wonder if Windows sync is worth the
trouble.
At my
site we
will probably not implement password sync as the
AD-side is very
restrictive about installing anything.
I hear this all the time - AD admins are very touchy
about
installing anything, especially some piece of random
open
source
software that's going to intercept clear text
passwords and
send
them who-knows-where
So what I get is basically a
skeleton that I have to populate with the posixUser
attributes.
Another issue is groups in AD. I suppose those
groups
will become
regular unix-groups on the directory server side,
Yes. But note - not posix groups (posixGroup) but
plain groups
(groupOfUniqueNames)
which might not
be enough for all policing needs (may need
netgroups in
addition).
Sure.
We will probably have maximum a few hundred
users in the
directory, do
you think Windows-sync is worth the bother?
I suggest you take a look at Penrose
http://docs.safehaus.org/display/PENROSE/Home
Erling
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
<mailto:Fedora-directory-users@redhat.com>
<mailto:Fedora-directory-users@redhat.com
<mailto:Fedora-directory-users@redhat.com>>
<mailto:Fedora-directory-users@redhat.com
<mailto:Fedora-directory-users@redhat.com>
<mailto:Fedora-directory-users@redhat.com
<mailto:Fedora-directory-users@redhat.com>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
<mailto:Fedora-directory-users@redhat.com>
<mailto:Fedora-directory-users@redhat.com
<mailto:Fedora-directory-users@redhat.com>>
<mailto:Fedora-directory-users@redhat.com
<mailto:Fedora-directory-users@redhat.com>
<mailto:Fedora-directory-users@redhat.com
<mailto:Fedora-directory-users@redhat.com>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
<mailto:Fedora-directory-users@redhat.com>
<mailto:Fedora-directory-users@redhat.com
<mailto:Fedora-directory-users@redhat.com>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
<mailto:Fedora-directory-users@redhat.com>
<mailto:Fedora-directory-users@redhat.com
<mailto:Fedora-directory-users@redhat.com>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
<mailto:Fedora-directory-users@redhat.com>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
<mailto:Fedora-directory-users@redhat.com>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users