Has anyone on the list set up such as scheme for adding posix attributes to users synced from AD, and would like to comment on this approach?
I'm thinking that maybe running a cron job (for example a couple of times an hour) that searches for newly added users, then using "ldapmodify" to add the required posix attributes, may be the way to go.
Regards,
Kenneth
On 11/10/08, Rich Megginson <rmeggins@redhat.com> wrote:
Kenneth Holter wrote:
Thank you for your reply.
Yes you understood me correctly - I ment it doesn't seem like Windows Sync is intended for Linux machine login (via SSH to be precise) to "just work" with no additional work. I'm sorry that I wasn't too clear on this.
Is it so that one usually has a AD/DS setup like this:
* users/passwords are synced from AD to DS
* the new users are exported to ldif file, added things such as
posix attributes, and reimported into DS
* users can now log into linux servers (via SSH) that are properly
configured as LDAP clients
? Just trying to get an understanding of how one usualy set up AD and DS to work together.
I think that's how it usually goes. Perhaps some other folks that are doing this will chime in.
freeIPA will soon have support for automatic creation of AD user accounts in IPA, including all of the posix and kerberos attributes needed for OS login. See freeipa.org
On 11/7/08, *Rich Megginson* <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> wrote:
Kenneth Holter wrote:
I'm not very into fedora/redhat direcoty server (DS), but
thought I'd just drop a quick question: It doesn't seems like
Windows Sync is intended for syncing AD users to DS so that
users defined on AD can be allowed to log into Linux machines.
I'm not sure what you mean by that. Do you mean because the posix
attributes are not synced, you cannot create a user in AD that is
synced to Fedora DS and Linux machine login "just works" with no
additional work?
It is possible to get this working, however, through a series
of manual steps. So what is the intended purpose for Windows
Sync, if I might ask, as it seems a lot simpler just to manage
everything directly from DS without syncing with AD?
I think most people use it to sync passwords, so that you can have
the same password on AD as Unix/Linux, and when you change the
password on one side, that change is synced to the other side.
Regards,
Kenneth Holter
On 11/6/08, *Rich Megginson* <rmeggins@redhat.com
<mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com>>> wrote:
Erling Ringen Elvsrud wrote:
On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
<rmeggins@redhat.com <mailto:rmeggins@redhat.com>