[Freeipa-devel] AD and freeIPA synch

Rich Megginson rmeggins at redhat.com
Fri Jun 6 19:38:50 UTC 2008 

Karl Wirth wrote:
> Hello,
>
> Many organizations have given feedback that they want to make sure that
> freeIPA can synch with AD.  We want to provide more than what is
> available in the winsynch that is in fedora directory server.  Here are
> my thoughts on what the features should be in this area.  I would love
> your feedback.  Does this sound right?  What is missing?  Longerterm, we
> hope to enable kerberos trust between AD and IPA but even then some
> folks will want synch as well.  Thoughts?
>
> AD and freeIPA synch requirements ---proposal for your review and feedback
>
> 1. Keep password in AD same as PW in IPA
> - If changed in AD, bring change over to IPA
> - If changed in IPA, bring change over to AD
>   
One problem with this is password policy - min length, complexity, 
history, etc.  How to sync password policy between IPA and AD?
> 2. Synch userid and attributes
> - Configurable which attributes
> - If full posix available then make this available
> - Configurable translation between attributes (i.e transform data such
> as middle name length or whatever)
> - Configurable mapping between attribute names
> - Generate attributes if not present in AD with flexible rules for doing
> this and vice versa
>
> 3. Which subsets of users to keep in synch
> - Make it possible to define which AD/IPA users should be kept in synch
>
> 4. Topology
> - Password synch is only supported with 1 AD domain.  Not multiple.
> - Identity/attribute synch is supported across multiple domains.  
> ---If the same user is in multiple domains, there is a problem ---- Not
> supported
> ---If the same userid in different domains but different user, resolve
> - Need to support PW change on any IPA server
> - Need to support PW change on an AD server
>   
Support for uni-directional sync - many Fedora DS users have asked for 
the ability to sync changes only from Fedora DS to AD, or vice versa, 
but not both ways.  Or perhaps uni-directional for passwords (due to 
password policy) and bi-di for other data.
> 5. Failover
> - Support for failover AD DC
> - Support for failover IPA
>
> 6. Install and Packaging
> - Separate install of synch tool
> - Preconfigured synch tool with easy to point to IPA and AD
> - Predefined
> - Requires passsynch on domain controllers
> - Proposal 1: Requires password to only change on AD.  Probably not ok.
> - Proposal 2: Make changes to IPA to hand PW to AD
>
> 7. Groups.  
> Allow four options that an administrator can choose between:
> - One option: Synchronize all users from AD into one IPA group
> - Second option: Synchronize all users according to filter defined in #3
> above and bring along all of their groups and keep their memberships in
> them.
> - Third option:  No group synch at all
> - Fourth option:  No support for nested groups
>   
Support for AD memberOf (if not already fully supported by ipa-memberof).
> Best regards,
> Karl
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/attachment.bin>

More information about the Freeipa-devel mailing list