Jason Beavers
2008-Jan-21 23:47 UTC
[Fedora-directory-users] Unidirectional Windows Sync possible
Hi All,
Probably been asked before but i didn''t quite find the answer i was
looking for by searching.
Is it possible to configure a Unidirectional Windows Sync agreement?
Scenario:
Large Enterprise with fully deployed Windows AD
We would like to develop an application that runs off of Fedora DS, and allows
the users to login using their normal AD credentials.
We''ll be storing alot of application specific data about each user,
(preferences, settings, etc) in FedoraDS and are prohibited from writing
anything back to AD.
Which pretty much rules out modifying the AD schema, or writing changes back to
AD (corporate mandate, don''t ask).
So basically what i''m asking is whether its possible to configure
Windows Sync such that Users (and passwords) can be sync''d over from AD
to FDS but not the other way around.
This way all user management (creation, password changes, etc) always happens in
AD and we only sync over the authentication credentials, leaving the other stuff
to FDS.
Make sense? Thoughts?
Thanks in advance
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Rich Megginson
2008-Jan-22 18:30 UTC
Re: [Fedora-directory-users] Unidirectional Windows Sync possible
Jason Beavers wrote:> Hi All, > > Probably been asked before but i didn''t quite find the answer i was > looking for by searching. > Is it possible to configure a Unidirectional Windows Sync agreement? > > Scenario: > > Large Enterprise with fully deployed Windows AD > > We would like to develop an application that runs off of Fedora DS, > and allows the users to login using their normal AD credentials. > We''ll be storing alot of application specific data about each user, > (preferences, settings, etc) in FedoraDS and are prohibited from > writing anything back to AD. > Which pretty much rules out modifying the AD schema, or writing > changes back to AD (corporate mandate, don''t ask). > > So basically what i''m asking is whether its possible to configure > Windows Sync such that Users (and passwords) can be sync''d over from > AD to FDS but not the other way around. > This way all user management (creation, password changes, etc) always > happens in AD and we only sync over the authentication credentials, > leaving the other stuff to FDS. > > Make sense? Thoughts?It''s not directly supported, but I suppose you could have your AD administrator create a special admin user that had read/search rights over the AD tree but not update/write rights. Then Fedora DS could read the info from AD but not right any back. I don''t know if this would make Fedora DS blow up because it would get lots of errors attempting to write updates to AD.> > Thanks in advance > > ------------------------------------------------------------------------ > Never miss a thing. Make Yahoo your homepage. > <http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >