[389-users] ADS <==> FedoraDS <==> Linux/Unix Clients?

Mon Jan 4 13:40:30 UTC 2010

Well, I don't have any documentation on the posix/netgroup type of scripts.
But I can try to outline our approach:

In the AD LDAP tree, we have created an organizational unit (OU) named
"linux" (or something like that). Under this OU we have two OUs, named
"users" and "groups". Under these OU's we've moved all users and groups that
are to be synced over to our Red Hat Directory Server (RHDS, which is
basically the same as FDS).

On the RHDS, we've done this: Using the Windows Sync (
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html)
plugin, we've defined that all entries under the "linux" OU on AD should be
synced over to RHDS. Windows Sync basically copies those entries from AD.
In addition, we have a few script running on the RHDS server. On script adds
posix attributes to users that have been synced over from AD to RHDS.
Another script populates NIS netgroups based on AD groups. Let me explain:
Say we have a AD group called "linux-admins", and that it's placed under the
"groups" OU (as explained above) as is thus synced over to the RHDS. On the
RHDS side, we have a similar NIS netgroup called for example
"netgroup-linux-admins". Our script reads the "linux-admins" membership
info, and makes sure that the "netgroup-linux-admins" is updated with the
same membership info. This way we can rely on the AD admins to manage group
memeberships on the RHDS side.
The NIS netgroup information can the be used for defining which groups of
users can access which groups of servers (note that we're going to put
server names into netgroup too), by configuring PAM to allow access based on
netgroup membership. For example, we can define that users that are members
of "netgroup-linux-admins" will have access to all servers. Furhtermore, we
can use the same netgroups to define sudo privileges for groups of users.
For the "netgroup-linux-admins", they will typically be given full sudo
access on all servers.

I hope this made some sense. Let me know if you want me to elaborate on some
of the points.

Btw, the most relevant info I've found on setting this thing up is the RHDS
manuals (http://www.redhat.com/docs/manuals/dir-server/), and the 389 web
site.

- Kenneth

On Mon, Jan 4, 2010 at 12:40 PM, Ajeet S Raina <ajeetraina at gmail.com> wrote:

> Hello Kenneho,
>
> Thanks for the quick response. I appreciate your helpful words on these
> queries.
> I would be thankful if yu can provide me with the tutorials or documents or
> links which you followed for the same setup.
>
> May I know what should be approach for syncing ADS to Fedora DS?
> Any step by step approach for the sa
>
>   On Mon, Jan 4, 2010 at 2:37 PM, Kenneth Holter <kenneho.ndu at gmail.com>wrote:
>
>> Hi.
>>
>>
>> We're currently working on a similar setup.
>>
>> Regarding your first question: Using the Windows Sync plugin on the FDS
>> you sync specific users from AD over to FDS. Just move your sysadmin users
>> to an LDAP organization unit (OU), and sync that over to FDS. Next, you'll
>> need to add posix attributes (user ID, group ID, home directory, etc) to
>> these users on the FDS side. You can create simple scripts for doing this.
>> In our setup, we're going to use groups defined on the AD side as basis for
>> NIS netgroups on linux, so that we can control access to and sudo privileges
>> on linux servers based on these groups. This adds to the complexity, but
>> lets us manage users and access from the AD side.
>>
>> When you delete a user on the AD side, it will get deleted on the FDS side
>> too.
>>
>>
>> Regards,
>> Kenneth Holter
>>
>>
>>   On Tue, Dec 29, 2009 at 5:41 PM, Ajeet S Raina <ajeetraina at gmail.com>wrote:
>>
>>>
>>> I have a certain query regarding the following structure:
>>>  Code:
>>>
>>>     Active Directory Server
>>>     ||
>>>     ||
>>>     Fedora Directory Server <=> Client(Linux | Fedora | Ubuntu | Solaris | HP)
>>>
>>> Let me explain you what I want:
>>>
>>> 1.There is a company Active Directory Server under domain
>>> intinfra.com.As <http://intinfra.com.as/> of now there are limited
>>> Windows Desktop Machine under that domain.I have few Linux / Unix Machines
>>> which I want to authenticate through ADS(which are presently not under
>>> ADS).Why? Becoz' everytime I need to delete the users whenver they leave the
>>> project.Thats Cumbersome.
>>>
>>> So what I want is Setup Fedora DS(Wonder if We can do that without Fedora
>>> DS).Now I can ads join to Fedora DS(I have administrative privileges for
>>> ADS).What I really want to know is:
>>>
>>> If I join Fedora DS to ADS then all employee can login to the Linux
>>> Machine through their login credentials. I dont want that to happen.We have
>>> 3000 employee in intinfra Domain but We are only 30 Admins. I only want
>>> those 30-40 admins to login restrictly.Is it possible to restrict at
>>> FedoraDS level.
>>>
>>> 2.Say, I joined ADS and fedora DS and say after 30 days one of System
>>> Admin left the company.So his name will be removed from ADS. Is it possible
>>> that ADS and Fedora DS are synchronized in such a way that a user whose name
>>> gets deleted in ADS, gets deleted too from fedora .Do fedora DS has the
>>> capability to synchronize to ADS everytime.
>>>
>>> Pls Suggest.
>>>
>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>
>> --
>> 389 users mailing list
>> 389-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
>
> --
>
>
> ”It is not possible to rescue everyone who is caught in the Windows
> quicksand
>           --Make sure you are on solid Linux ground before trying.”
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20100104/8cc37916/attachment.htm>