[Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes?
Rich Megginson
rmeggins at redhat.com
Wed Nov 19 14:29:04 UTC 2008
Kenneth Holter wrote:
>
> Has anyone on the list set up such as scheme for adding posix
> attributes to users synced from AD, and would like to comment on this
> approach?
>
> I'm thinking that maybe running a cron job (for example a couple of
> times an hour) that searches for newly added users, then using
> "ldapmodify" to add the required posix attributes, may be the way to go.
That might work. There is some documentation about how to poll Active
Directory for changes to entries:
http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx
and
http://support.microsoft.com/kb/891995
I have a python-ldap script that implements support for the DirSync
control - http://github.com/richm/scripts/tree/master/dirsyncctrl.py
>
>
> Regards,
> Kenneth
>
>
> On 11/10/08, *Rich Megginson* <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Kenneth Holter wrote:
>
> Thank you for your reply.
> Yes you understood me correctly - I ment it doesn't seem like
> Windows Sync is intended for Linux machine login (via SSH to
> be precise) to "just work" with no additional work. I'm sorry
> that I wasn't too clear on this.
> Is it so that one usually has a AD/DS setup like this:
>
> * users/passwords are synced from AD to DS
> * the new users are exported to ldif file, added things such as
> posix attributes, and reimported into DS
> * users can now log into linux servers (via SSH) that are
> properly
> configured as LDAP clients
>
> ? Just trying to get an understanding of how one usualy set up
> AD and DS to work together.
>
> I think that's how it usually goes. Perhaps some other folks that
> are doing this will chime in.
>
> freeIPA will soon have support for automatic creation of AD user
> accounts in IPA, including all of the posix and kerberos
> attributes needed for OS login. See freeipa.org <http://freeipa.org/>
>
>
> On 11/7/08, *Rich Megginson* <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> wrote:
>
> Kenneth Holter wrote:
>
> I'm not very into fedora/redhat direcoty server (DS), but
> thought I'd just drop a quick question: It doesn't
> seems like
> Windows Sync is intended for syncing AD users to DS so
> that
> users defined on AD can be allowed to log into Linux
> machines.
>
> I'm not sure what you mean by that. Do you mean because
> the posix
> attributes are not synced, you cannot create a user in AD
> that is
> synced to Fedora DS and Linux machine login "just works"
> with no
> additional work?
>
> It is possible to get this working, however, through a
> series
> of manual steps. So what is the intended purpose for
> Windows
> Sync, if I might ask, as it seems a lot simpler just to
> manage
> everything directly from DS without syncing with AD?
>
> I think most people use it to sync passwords, so that you
> can have
> the same password on AD as Unix/Linux, and when you change the
> password on one side, that change is synced to the other side.
>
> Regards,
> Kenneth Holter
>
> On 11/6/08, *Rich Megginson* <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> wrote:
>
> Erling Ringen Elvsrud wrote:
>
> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> wrote:
> [...]
> That should work. But note
> that posix attributes
> will not
> sync to AD. And
> even if you did manage to find a posix
> schema that
> worked
> with AD, and added
> the posix schema on the AD side, those
> attributes would
> not be synced to
> Fedora DS.
>
> Thanks for your answer.
>
> I start to wonder if Windows sync is worth the
> trouble.
> At my
> site we
> will probably not implement password sync as the
> AD-side is very
> restrictive about installing anything.
>
> I hear this all the time - AD admins are very touchy
> about
> installing anything, especially some piece of random
> open
> source
> software that's going to intercept clear text
> passwords and
> send
> them who-knows-where
>
> So what I get is basically a
> skeleton that I have to populate with the posixUser
> attributes.
>
> Another issue is groups in AD. I suppose those
> groups
> will become
> regular unix-groups on the directory server side,
>
> Yes. But note - not posix groups (posixGroup) but
> plain groups
> (groupOfUniqueNames)
>
> which might not
> be enough for all policing needs (may need
> netgroups in
> addition).
> Sure.
>
> We will probably have maximum a few hundred
> users in the
> directory, do
> you think Windows-sync is worth the bother?
> I suggest you take a look at Penrose
> http://docs.safehaus.org/display/PENROSE/Home
>
> Erling
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>>
> <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>>>
>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>>
> <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>>>
>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>>
>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20081119/aecf7331/attachment.bin>
More information about the Fedora-directory-users
mailing list