[Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes?
Rich Megginson
rmeggins at redhat.com
Fri Nov 7 15:30:02 UTC 2008
Kenneth Holter wrote:
>
> I'm not very into fedora/redhat direcoty server (DS), but thought I'd
> just drop a quick question: It doesn't seems like Windows Sync is
> intended for syncing AD users to DS so that users defined on AD can
> be allowed to log into Linux machines.
I'm not sure what you mean by that. Do you mean because the posix
attributes are not synced, you cannot create a user in AD that is synced
to Fedora DS and Linux machine login "just works" with no additional work?
> It is possible to get this working, however, through a series of
> manual steps. So what is the intended purpose for Windows Sync, if I
> might ask, as it seems a lot simpler just to manage everything
> directly from DS without syncing with AD?
I think most people use it to sync passwords, so that you can have the
same password on AD as Unix/Linux, and when you change the password on
one side, that change is synced to the other side.
>
>
> Regards,
> Kenneth Holter
>
>
> On 11/6/08, *Rich Megginson* <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Erling Ringen Elvsrud wrote:
>
> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
> [...]
>
>
> That should work. But note that posix attributes will not
> sync to AD. And
> even if you did manage to find a posix schema that worked
> with AD, and added
> the posix schema on the AD side, those attributes would
> not be synced to
> Fedora DS.
>
>
>
> Thanks for your answer.
>
> I start to wonder if Windows sync is worth the trouble. At my
> site we
> will probably not implement password sync as the AD-side is very
> restrictive about installing anything.
>
> I hear this all the time - AD admins are very touchy about
> installing anything, especially some piece of random open source
> software that's going to intercept clear text passwords and send
> them who-knows-where
>
> So what I get is basically a
> skeleton that I have to populate with the posixUser attributes.
>
> Another issue is groups in AD. I suppose those groups will become
> regular unix-groups on the directory server side,
>
> Yes. But note - not posix groups (posixGroup) but plain groups
> (groupOfUniqueNames)
>
> which might not
> be enough for all policing needs (may need netgroups in addition).
>
>
> Sure.
>
> We will probably have maximum a few hundred users in the
> directory, do
> you think Windows-sync is worth the bother?
>
>
> I suggest you take a look at Penrose
> http://docs.safehaus.org/display/PENROSE/Home
>
> Erling
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
More information about the 389-users
mailing list