Thank you for your reply.
Yes you understood me correctly - I ment it doesn't seem like Windows Sync
is intended for Linux machine login (via SSH to be precise) to "just work"
with no additional work. I'm sorry that I wasn't too clear on this.
Is it so that one usually has a AD/DS setup like this:
- users/passwords are synced from AD to DS
- the new users are exported to ldif file, added things such as posix
attributes, and reimported into DS
- users can now log into linux servers (via SSH) that are properly
configured as LDAP clients
? Just trying to get an understanding of how one usualy set up AD and DS to
work together.
On 11/7/08, Rich Megginson <rmeggins(a)redhat.com> wrote:
Kenneth Holter wrote:
> I'm not very into fedora/redhat direcoty server (DS), but thought I'd
> just drop a quick question: It doesn't seems like Windows Sync is intended
> for syncing AD users to DS so that users defined on AD can be allowed to
> log into Linux machines.
>
I'm not sure what you mean by that. Do you mean because the posix
attributes are not synced, you cannot create a user in AD that is synced to
Fedora DS and Linux machine login "just works" with no additional work?
> It is possible to get this working, however, through a series of manual
> steps. So what is the intended purpose for Windows Sync, if I might ask, as
> it seems a lot simpler just to manage everything directly from DS without
> syncing with AD?
>
I think most people use it to sync passwords, so that you can have the same
password on AD as Unix/Linux, and when you change the password on one side,
that change is synced to the other side.
> Regards,
> Kenneth Holter
>
> On 11/6/08, *Rich Megginson* <rmeggins(a)redhat.com <mailto:
> rmeggins(a)redhat.com>> wrote:
>
> Erling Ringen Elvsrud wrote:
>
> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
> <rmeggins(a)redhat.com <mailto:rmeggins@redhat.com>> wrote:
> [...]
>
> That should work. But note that posix attributes will not
> sync to AD. And
> even if you did manage to find a posix schema that worked
> with AD, and added
> the posix schema on the AD side, those attributes would
> not be synced to
> Fedora DS.
>
>
> Thanks for your answer.
>
> I start to wonder if Windows sync is worth the trouble. At my
> site we
> will probably not implement password sync as the AD-side is very
> restrictive about installing anything.
>
> I hear this all the time - AD admins are very touchy about
> installing anything, especially some piece of random open source
> software that's going to intercept clear text passwords and send
> them who-knows-where
>
> So what I get is basically a
> skeleton that I have to populate with the posixUser attributes.
>
> Another issue is groups in AD. I suppose those groups will become
> regular unix-groups on the directory server side,
>
> Yes. But note - not posix groups (posixGroup) but plain groups
> (groupOfUniqueNames)
>
> which might not
> be enough for all policing needs (may need netgroups in addition).
>
> Sure.
>
> We will probably have maximum a few hundred users in the
> directory, do
> you think Windows-sync is worth the bother?
>
> I suggest you take a look at Penrose
>
http://docs.safehaus.org/display/PENROSE/Home
>
> Erling
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> <mailto:Fedora-directory-users@redhat.com>
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> <mailto:Fedora-directory-users@redhat.com>
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users