On Sat, Jun 7, 2008 at 9:00 AM, <
freeipa-devel-request redhat com> wrote:
Send Freeipa-devel mailing list submissions to
freeipa-devel redhat com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-devel
or, via email, send a message with subject or body 'help' to
freeipa-devel-request redhat com
You can reach the person managing the list at
freeipa-devel-owner redhat com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeipa-devel digest..."
Today's Topics:
1. Re: [PATCH] be clearer about what is being configured
(Rob Crittenden)
2. AD and freeIPA synch (Karl Wirth)
3. Re: AD and freeIPA synch (Rich Megginson)
----------------------------------------------------------------------
Message: 1
Date: Fri, 06 Jun 2008 15:27:21 -0400
From: Rob Crittenden <rcritten redhat com>
Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is being
configured
To: freeipa-devel <freeipa-devel redhat com>
Message-ID: <48498F99 5090903 redhat com>
Content-Type: text/plain; charset="iso-8859-1"
Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin
------------------------------
Message: 2
Date: Fri, 06 Jun 2008 15:32:29 -0400
From: Karl Wirth <kwirth redhat com>
Subject: [Freeipa-devel] AD and freeIPA synch
To: freeipa-devel redhat com, freeipa-interest redhat com
Message-ID: <484990CD 30206 redhat com>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
Many organizations have given feedback that they want to make sure that
freeIPA can synch with AD. We want to provide more than what is
available in the winsynch that is in fedora directory server. Here are
my thoughts on what the features should be in this area. I would love
your feedback. Does this sound right? What is missing? Longerterm, we
hope to enable kerberos trust between AD and IPA but even then some
folks will want synch as well. Thoughts?
AD and freeIPA synch requirements ---proposal for your review and feedback
1. Keep password in AD same as PW in IPA
- If changed in AD, bring change over to IPA
- If changed in IPA, bring change over to AD
2. Synch userid and attributes
- Configurable which attributes
- If full posix available then make this available
- Configurable translation between attributes (i.e transform data such
as middle name length or whatever)
- Configurable mapping between attribute names
- Generate attributes if not present in AD with flexible rules for doing
this and vice versa
3. Which subsets of users to keep in synch
- Make it possible to define which AD/IPA users should be kept in synch
4. Topology
- Password synch is only supported with 1 AD domain. Not multiple.
- Identity/attribute synch is supported across multiple domains.
---If the same user is in multiple domains, there is a problem ---- Not
supported
---If the same userid in different domains but different user, resolve
- Need to support PW change on any IPA server
- Need to support PW change on an AD server
5. Failover
- Support for failover AD DC
- Support for failover IPA
6. Install and Packaging
- Separate install of synch tool
- Preconfigured synch tool with easy to point to IPA and AD
- Predefined
- Requires passsynch on domain controllers
- Proposal 1: Requires password to only change on AD. Probably not ok.
- Proposal 2: Make changes to IPA to hand PW to AD
7. Groups.
Allow four options that an administrator can choose between:
- One option: Synchronize all users from AD into one IPA group
- Second option: Synchronize all users according to filter defined in #3
above and bring along all of their groups and keep their memberships in
them.
- Third option: No group synch at all
- Fourth option: No support for nested groups
Best regards,
Karl
------------------------------
Message: 3
Date: Fri, 06 Jun 2008 13:38:50 -0600
From: Rich Megginson <rmeggins redhat com>
Subject: Re: [Freeipa-devel] AD and freeIPA synch
To: kwirth redhat com
Cc: freeipa-devel redhat com, freeipa-interest redhat com
Message-ID: <4849924A 40303 redhat com>
Content-Type: text/plain; charset="iso-8859-1"
Karl Wirth wrote:
> Hello,
>
> Many organizations have given feedback that they want to make sure that
> freeIPA can synch with AD. We want to provide more than what is
> available in the winsynch that is in fedora directory server. Here are
> my thoughts on what the features should be in this area. I would love
> your feedback. Does this sound right? What is missing? Longerterm, we
> hope to enable kerberos trust between AD and IPA but even then some
> folks will want synch as well. Thoughts?
>
> AD and freeIPA synch requirements ---proposal for your review and feedback
>
> 1. Keep password in AD same as PW in IPA
> - If changed in AD, bring change over to IPA
> - If changed in IPA, bring change over to AD
>
One problem with this is password policy - min length, complexity,
history, etc. How to sync password policy between IPA and AD?
> 2. Synch userid and attributes
> - Configurable which attributes
> - If full posix available then make this available
> - Configurable translation between attributes (i.e transform data such
> as middle name length or whatever)
> - Configurable mapping between attribute names
> - Generate attributes if not present in AD with flexible rules for doing
> this and vice versa
>
> 3. Which subsets of users to keep in synch
> - Make it possible to define which AD/IPA users should be kept in synch
>
> 4. Topology
> - Password synch is only supported with 1 AD domain. Not multiple.
> - Identity/attribute synch is supported across multiple domains.
> ---If the same user is in multiple domains, there is a problem ---- Not
> supported
> ---If the same userid in different domains but different user, resolve
> - Need to support PW change on any IPA server
> - Need to support PW change on an AD server
>
Support for uni-directional sync - many Fedora DS users have asked for
the ability to sync changes only from Fedora DS to AD, or vice versa,
but not both ways. Or perhaps uni-directional for passwords (due to
password policy) and bi-di for other data.
> 5. Failover
> - Support for failover AD DC
> - Support for failover IPA
>
> 6. Install and Packaging
> - Separate install of synch tool
> - Preconfigured synch tool with easy to point to IPA and AD
> - Predefined
> - Requires passsynch on domain controllers
> - Proposal 1: Requires password to only change on AD. Probably not ok.
> - Proposal 2: Make changes to IPA to hand PW to AD
>
> 7. Groups.
> Allow four options that an administrator can choose between:
> - One option: Synchronize all users from AD into one IPA group
> - Second option: Synchronize all users according to filter defined in #3
> above and bring along all of their groups and keep their memberships in
> them.
> - Third option: No group synch at all
> - Fourth option: No support for nested groups
>
Support for AD memberOf (if not already fully supported by ipa-memberof).
> Best regards,
> Karl
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel redhat com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin
------------------------------
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel redhat com
https://www.redhat.com/mailman/listinfo/freeipa-devel
End of Freeipa-devel Digest, Vol 13, Issue 11
*********************************************