Karl Wirth wrote:
One problem with this is password policy - min length, complexity, history, etc. How to sync password policy between IPA and AD?Hello, Many organizations have given feedback that they want to make sure that freeIPA can synch with AD. We want to provide more than what is available in the winsynch that is in fedora directory server. Here are my thoughts on what the features should be in this area. I would love your feedback. Does this sound right? What is missing? Longerterm, we hope to enable kerberos trust between AD and IPA but even then some folks will want synch as well. Thoughts? AD and freeIPA synch requirements ---proposal for your review and feedback 1. Keep password in AD same as PW in IPA - If changed in AD, bring change over to IPA - If changed in IPA, bring change over to AD
Support for uni-directional sync - many Fedora DS users have asked for the ability to sync changes only from Fedora DS to AD, or vice versa, but not both ways. Or perhaps uni-directional for passwords (due to password policy) and bi-di for other data.2. Synch userid and attributes - Configurable which attributes - If full posix available then make this available - Configurable translation between attributes (i.e transform data such as middle name length or whatever) - Configurable mapping between attribute names - Generate attributes if not present in AD with flexible rules for doing this and vice versa 3. Which subsets of users to keep in synch - Make it possible to define which AD/IPA users should be kept in synch 4. Topology - Password synch is only supported with 1 AD domain. Not multiple.- Identity/attribute synch is supported across multiple domains. ---If the same user is in multiple domains, there is a problem ---- Notsupported ---If the same userid in different domains but different user, resolve - Need to support PW change on any IPA server - Need to support PW change on an AD server
5. Failover - Support for failover AD DC - Support for failover IPA 6. Install and Packaging - Separate install of synch tool - Preconfigured synch tool with easy to point to IPA and AD - Predefined - Requires passsynch on domain controllers - Proposal 1: Requires password to only change on AD. Probably not ok. - Proposal 2: Make changes to IPA to hand PW to AD7. Groups. Allow four options that an administrator can choose between:- One option: Synchronize all users from AD into one IPA group - Second option: Synchronize all users according to filter defined in #3 above and bring along all of their groups and keep their memberships in them. - Third option: No group synch at all - Fourth option: No support for nested groups
Support for AD memberOf (if not already fully supported by ipa-memberof).
Best regards, Karl _______________________________________________ Freeipa-devel mailing list Freeipa-devel redhat com https://www.redhat.com/mailman/listinfo/freeipa-devel
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature