[Freeipa-users] winsync msi

Fri Sep 7 19:51:01 UTC 2012

On 07/25/2012 08:32 PM, Steven Jones wrote:
> Hi,
>
> I will ask....
>

I am trying to make sure we closed all the loose ends.
Steven, is there any update?

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Thursday, 26 July 2012 12:28 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] winsync msi
>
> On 07/25/2012 06:11 PM, Steven Jones wrote:
>> Hi,
>>
>>  From a RH support case as I dont have access to the RDS channel.
> We just updated the RHEL 6.3 downloads to have the RedHat-PassSync .msi
> files.
>
>> No, its doesn't allay my Windows and security ppls concerns....
> I was speaking specifically about your original concerns:
>
> "No not specific developers but some sort of statement of ownership from
> RedHat I suppose. So they are I assume looking for some sort of
> confidence that it wont trash AD and if I install it and it does trash
> our AD some liability."
>
> Does the fact that you are now getting a Red Hat branded binary from an
> official Red Hat download site allay these particular fears?
>
>> http://port389.org/wiki/Download
>>
>> "This is an Active Directory "plug-in" that intercepts password changes made to AD and sends the clear text password to 389 DS to keep the passwords in sync (when using the Windows Sync feature of 389 DS).
>>
>> Tested with Windows 2008 and 2003 Server 32-bit and 64-bit. "
> "This is an Active Directory "plug-in" that intercepts password changes
> made to AD Domain Controllers and sends the clear text password over an
> encrypted connection (SSL/TLS) to 389 DS to keep the passwords in sync.
> It works in conjunction with the Windows Sync feature of 389. You must
> install this on every Domain Controller. "
>
> Better?
>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: Rich Megginson [rmeggins at redhat.com]
>> Sent: Thursday, 26 July 2012 11:59 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] winsync msi
>>
>> On 07/25/2012 02:41 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> Ah ok, I have the "official" one.
>>    From where did you get it?  And does it allay your concerns?
>>
>>> One thing on the free site, it says the password is transmitted as clear text, no mention of over an encrypted secure channel....the security guys had a fit.....so if you update that web page it would help the cause.
>> Which page is that?  The Howto:WindowsSync?
>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ________________________________________
>>> From: Rich Megginson [rmeggins at redhat.com]
>>> Sent: Thursday, 26 July 2012 1:58 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] winsync msi
>>>
>>> On 07/24/2012 03:15 PM, Steven Jones wrote:
>>>> Hi Rich,
>>>>
>>>> I can appreciate what you are saying, but....
>>>>
>>>> Not on Windows but specifically AD, the very core of our 21,000+ user base, that makes such an add on significant and gets focus. What we have seen with another similar (yes, commercial) MSI was a clash with another MSI added to AD, the result was not pretty....hence the Windows ppl are very careful when something like this is proposed.
>>>>
>>>> So actually some sites where this has been installed commercially would be good, if need be I can raise a call to RH support? or RH NZ rep to get that info in confidence / NDA.
>>>>
>>>> IPA like AD is not just another application, its at the very centre of everything. For us it will be the second or third most important system we have.  It will probably connect us to ppl across the world and them to us (via federation/shibboleth) let alone our internal user base.
>>>>
>>>> Lets see if I can show this, so 99.9% uptime on an application is 9 hours off line per year.....per user.....say 100 users?
>>>>
>>>> So 1 hour off line in a business day with 21,000+ users.....21,000 hours lost plus all the meetings on why and how to make sure it wont happen again.  If we were down for say a day or two....it would be in the IT if not National papers....(yes OK NZ is small)....I think my new occupation and some of the managers would be....road sweeping.....this makes them very risk adverse.
>>>>
>>>> Crazy thing of course is, yes IPA is free.......
>>>>
>>>> ;]
>>>>
>>>> I can appreciate things seem very strange in that context.  Consider that its taken me 7 years to go from being employed specifically long enough to get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL servers with most of the mission critical things on them.....all down to the quality of open source really......proof is in the eating....its proven very tasty......
>>> Ok.  If you are a Red Hat paying customer, you should get the
>>> RedHat-PassSync .msi from an official Red Hat channel.  We are working
>>> on addressing this issue.
>>>> :)
>>>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>> 0064 4 463 6272
>>>>
>>>> ________________________________________
>>>> From: Rich Megginson [rmeggins at redhat.com]
>>>> Sent: Wednesday, 25 July 2012 2:54 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] winsync msi
>>>>
>>>> On 07/23/2012 06:32 PM, Steven Jones wrote:
>>>>> Hi,
>>>>>
>>>>> No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability.
>>>> Can you point me at another open source project that provides Windows
>>>> binaries that provides some sort of guarantee or statement or
>>>> documentation like this?  I'd like to see what other projects do and
>>>> provide something similar.
>>>>
>>>> Or is this the first (and only?) time anyone in your organization has
>>>> ever installed any open source software on Windows?
>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> ________________________________________
>>>>> From: Rich Megginson [rmeggins at redhat.com]
>>>>> Sent: Tuesday, 24 July 2012 12:11 p.m.
>>>>> To: Steven Jones
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] winsync msi
>>>>>
>>>>> On 07/23/2012 05:38 PM, Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> For the winsync agreement my Windows and security teams want to know its details,
>>>>>>
>>>>>> eg who wrote it,
>>>>> Red Hat - do you need to know the names of the developers?
>>>>>
>>>>>> it is Microsoft certified etc.
>>>>> Not that I know of - how would one go about doing that?
>>>>>> Where will I find such info?
>>>>>>
>>>>>> All I have is
>>>>>>
>>>>>> http://port389.org/wiki/Download
>>>>>>
>>>>>> Which doesn't tell me much.
>>>>> There is more info in the actual .msi file.
>>>>>> regards
>>>>>>
>>>>>> Steven Jones
>>>>>>
>>>>>> Technical Specialist - Linux RHCE
>>>>>>
>>>>>> Victoria University, Wellington, NZ
>>>>>>
>>>>>> 0064 4 463 6272
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/