Fedora directory users - Nov 2008 - Re: Windows sync: how do you populate the posixUser attributes?

I have managed to make Windows sync work and have one user synced from AD in
my directory.
The posixUser-attributes are still empty. How do you populate those
attributes in an effective way?

If I have an empty directory, and the users alredy exists in AD I have
been thinking of this manual approach:

1. Perform a full re-sync from AD.
2. Export all the users in directory server in a LDIF-file  and with scripts
populate the needed attributes like uid, shell, home, etc.
3. Write the changes back in directory server.

For new users, if not too many, perform the needed changes manually.

What do you think? Is it possible to do this automatically with Windows
Sync or do I have to use approaches like I described?

Thanks,

Erling

Erling Ringen Elvsrud wrote:
> I have managed to make Windows sync work and have one user synced from AD
in
> my directory.
> The posixUser-attributes are still empty. How do you populate those
> attributes in an effective way?
>   
You can''t, really, and even if you did, they would not be synced.  
Windows Sync ignores them.
> If I have an empty directory, and the users alredy exists in AD I have
> been thinking of this manual approach:
>
> 1. Perform a full re-sync from AD.
> 2. Export all the users in directory server in a LDIF-file  and with
scripts
> populate the needed attributes like uid, shell, home, etc.
> 3. Write the changes back in directory server.
>
> For new users, if not too many, perform the needed changes manually.
>
> What do you think? Is it possible to do this automatically with Windows
> Sync or do I have to use approaches like I described?
>   
That should work.  But note that posix attributes will not sync to AD.  
And even if you did manage to find a posix schema that worked with AD, 
and added the posix schema on the AD side, those attributes would not be 
synced to Fedora DS.
> Thanks,
>
> Erling
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson <rmeggins@redhat.com>
wrote:
[...]
> That should work.  But note that posix attributes will not sync to AD.  And
> even if you did manage to find a posix schema that worked with AD, and
added
> the posix schema on the AD side, those attributes would not be synced to
> Fedora DS.
Thanks for your answer.

I start to wonder if Windows sync is worth the trouble. At my site we
will probably not implement password sync as the AD-side is very
restrictive about installing anything. So what I get is basically a
skeleton that I have to populate with the posixUser attributes.

Another issue is groups in AD. I suppose those groups will become
regular unix-groups on the directory server side, which might not
be enough for all policing needs (may need netgroups in addition).

We will probably have maximum a few hundred users in the directory, do
you think Windows-sync is worth the bother?

Erling

Erling Ringen Elvsrud wrote:
> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson <rmeggins@redhat.com>
wrote:
> [...]
>   
>> That should work.  But note that posix attributes will not sync to AD. 
And
>> even if you did manage to find a posix schema that worked with AD, and
added
>> the posix schema on the AD side, those attributes would not be synced
to
>> Fedora DS.
>>     
>
> Thanks for your answer.
>
> I start to wonder if Windows sync is worth the trouble. At my site we
> will probably not implement password sync as the AD-side is very
> restrictive about installing anything.
I hear this all the time - AD admins are very touchy about installing 
anything, especially some piece of random open source software that''s 
going to intercept clear text passwords and send them
who-knows-where
> So what I get is basically a
> skeleton that I have to populate with the posixUser attributes.
>
> Another issue is groups in AD. I suppose those groups will become
> regular unix-groups on the directory server side,
Yes.  But note - not posix groups (posixGroup) but plain groups 
(groupOfUniqueNames)
> which might not
> be enough for all policing needs (may need netgroups in addition).
>   
Sure.
> We will probably have maximum a few hundred users in the directory, do
> you think Windows-sync is worth the bother?
>   
I suggest you take a look at Penrose 
http://docs.safehaus.org/display/PENROSE/Home
> Erling
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I''m not very into fedora/redhat direcoty server (DS), but thought
I''d just
drop a quick question: It doesn''t seems like Windows Sync is intended
for
syncing  AD users to DS so that users defined on AD can be allowed to log
into Linux machines. It is possible to get this working, however, through a
series of manual steps. So what is the intended purpose for Windows Sync, if
I might ask, as it seems a lot simpler just to manage everything directly
from DS without syncing with AD?


Regards,
Kenneth Holter


On 11/6/08, Rich Megginson <rmeggins@redhat.com>
wrote:
>
> Erling Ringen Elvsrud wrote:
>
>> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
<rmeggins@redhat.com>
>> wrote:
>> [...]
>>
>>
>>> That should work.  But note that posix attributes will not sync to
AD.
>>>  And
>>> even if you did manage to find a posix schema that worked with AD,
and
>>> added
>>> the posix schema on the AD side, those attributes would not be
synced to
>>> Fedora DS.
>>>
>>>
>>
>> Thanks for your answer.
>>
>> I start to wonder if Windows sync is worth the trouble. At my site we
>> will probably not implement password sync as the AD-side is very
>> restrictive about installing anything.
>>
> I hear this all the time - AD admins are very touchy about installing
> anything, especially some piece of random open source software
that''s going
> to intercept clear text passwords and send them who-knows-where
>
>> So what I get is basically a
>> skeleton that I have to populate with the posixUser attributes.
>>
>> Another issue is groups in AD. I suppose those groups will become
>> regular unix-groups on the directory server side,
>>
> Yes.  But note - not posix groups (posixGroup) but plain groups
> (groupOfUniqueNames)
>
>> which might not
>> be enough for all policing needs (may need netgroups in addition).
>>
>>
> Sure.
>
>> We will probably have maximum a few hundred users in the directory, do
>> you think Windows-sync is worth the bother?
>>
>>
> I suggest you take a look at Penrose
> http://docs.safehaus.org/display/PENROSE/Home
>
>> Erling
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Kenneth Holter wrote:
>  
> I''m not very into fedora/redhat direcoty server (DS), but thought
I''d
> just drop a quick question: It doesn''t seems like Windows Sync is 
> intended for syncing  AD users to DS so that users defined on AD can 
> be allowed to log into Linux machines.
I''m not sure what you mean by that.  Do you mean because the posix 
attributes are not synced, you cannot create a user in AD that is synced 
to Fedora DS and Linux machine login "just works" with no additional
work?
> It is possible to get this working, however, through a series of 
> manual steps. So what is the intended purpose for Windows Sync, if I 
> might ask, as it seems a lot simpler just to manage everything 
> directly from DS without syncing with AD?
I think most people use it to sync passwords, so that you can have the 
same password on AD as Unix/Linux, and when you change the password on 
one side, that change is synced to the other side.
>  
>  
> Regards,
> Kenneth Holter
>
>  
> On 11/6/08, *Rich Megginson* <rmeggins@redhat.com 
> <mailto:rmeggins@redhat.com>> wrote:
>
>     Erling Ringen Elvsrud wrote:
>
>         On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
>         <rmeggins@redhat.com <mailto:rmeggins@redhat.com>>
wrote:
>         [...]
>          
>
>             That should work.  But note that posix attributes will not
>             sync to AD.  And
>             even if you did manage to find a posix schema that worked
>             with AD, and added
>             the posix schema on the AD side, those attributes would
>             not be synced to
>             Fedora DS.
>                
>
>
>         Thanks for your answer.
>
>         I start to wonder if Windows sync is worth the trouble. At my
>         site we
>         will probably not implement password sync as the AD-side is very
>         restrictive about installing anything.
>
>     I hear this all the time - AD admins are very touchy about
>     installing anything, especially some piece of random open source
>     software that''s going to intercept clear text passwords and
send
>     them who-knows-where
>
>         So what I get is basically a
>         skeleton that I have to populate with the posixUser attributes.
>
>         Another issue is groups in AD. I suppose those groups will become
>         regular unix-groups on the directory server side,
>
>     Yes.  But note - not posix groups (posixGroup) but plain groups
>     (groupOfUniqueNames)
>
>         which might not
>         be enough for all policing needs (may need netgroups in addition).
>          
>
>     Sure.
>
>         We will probably have maximum a few hundred users in the
>         directory, do
>         you think Windows-sync is worth the bother?
>          
>
>     I suggest you take a look at Penrose
>     http://docs.safehaus.org/display/PENROSE/Home
>
>         Erling
>
>         --
>         Fedora-directory-users mailing list
>         Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>          
>
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Thank you for your reply.

Yes you understood me correctly - I ment it doesn''t seem like Windows
Sync
is intended for Linux machine login (via SSH to be precise) to "just
work"
with no additional work. I''m sorry that I wasn''t too clear on
this.

Is it so that one usually has a AD/DS setup like this:

   - users/passwords are synced from AD to DS
   - the new users are exported to ldif file, added things such as posix
   attributes, and reimported into DS
   - users can now log into linux servers (via SSH) that are properly
   configured as LDAP clients

? Just trying to get an understanding of how one usualy set up AD and DS to
work together.



On 11/7/08, Rich Megginson <rmeggins@redhat.com>
wrote:
>
> Kenneth Holter wrote:
>
>>  I''m not very into fedora/redhat direcoty server (DS), but
thought I''d
>> just drop a quick question: It doesn''t seems like Windows Sync
is intended
>> for syncing  AD users to DS so that users defined on AD can be allowed
to
>> log into Linux machines.
>>
> I''m not sure what you mean by that.  Do you mean because the posix
> attributes are not synced, you cannot create a user in AD that is synced to
> Fedora DS and Linux machine login "just works" with no additional
work?
>
>> It is possible to get this working, however, through a series of manual
>> steps. So what is the intended purpose for Windows Sync, if I might
ask, as
>> it seems a lot simpler just to manage everything directly from DS
without
>> syncing with AD?
>>
> I think most people use it to sync passwords, so that you can have the same
> password on AD as Unix/Linux, and when you change the password on one side,
> that change is synced to the other side.
>
>>   Regards,
>> Kenneth Holter
>>
>>  On 11/6/08, *Rich Megginson* <rmeggins@redhat.com <mailto:
>> rmeggins@redhat.com>> wrote:
>>
>>    Erling Ringen Elvsrud wrote:
>>
>>        On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
>>        <rmeggins@redhat.com <mailto:rmeggins@redhat.com>>
wrote:
>>        [...]
>>
>>            That should work.  But note that posix attributes will not
>>            sync to AD.  And
>>            even if you did manage to find a posix schema that worked
>>            with AD, and added
>>            the posix schema on the AD side, those attributes would
>>            not be synced to
>>            Fedora DS.
>>
>>
>>        Thanks for your answer.
>>
>>        I start to wonder if Windows sync is worth the trouble. At my
>>        site we
>>        will probably not implement password sync as the AD-side is very
>>        restrictive about installing anything.
>>
>>    I hear this all the time - AD admins are very touchy about
>>    installing anything, especially some piece of random open source
>>    software that''s going to intercept clear text passwords and
send
>>    them who-knows-where
>>
>>        So what I get is basically a
>>        skeleton that I have to populate with the posixUser attributes.
>>
>>        Another issue is groups in AD. I suppose those groups will
become
>>        regular unix-groups on the directory server side,
>>
>>    Yes.  But note - not posix groups (posixGroup) but plain groups
>>    (groupOfUniqueNames)
>>
>>        which might not
>>        be enough for all policing needs (may need netgroups in
addition).
>>
>>    Sure.
>>
>>        We will probably have maximum a few hundred users in the
>>        directory, do
>>        you think Windows-sync is worth the bother?
>>
>>    I suggest you take a look at Penrose
>>    http://docs.safehaus.org/display/PENROSE/Home
>>
>>        Erling
>>
>>        --
>>        Fedora-directory-users mailing list
>>        Fedora-directory-users@redhat.com
>>        <mailto:Fedora-directory-users@redhat.com>
>>        https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>    --
>>    Fedora-directory-users mailing list
>>    Fedora-directory-users@redhat.com
>>    <mailto:Fedora-directory-users@redhat.com>
>>    https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Kenneth Holter wrote:
> Thank you for your reply.
>  
> Yes you understood me correctly - I ment it doesn''t seem like
Windows
> Sync is intended for Linux machine login (via SSH to be precise) to 
> "just work" with no additional work. I''m sorry that I
wasn''t too clear
> on this.
>  
> Is it so that one usually has a AD/DS setup like this:
>
>     * users/passwords are synced from AD to DS
>     * the new users are exported to ldif file, added things such as
>       posix attributes, and reimported into DS
>     * users can now log into linux servers (via SSH) that are properly
>       configured as LDAP clients
>
> ? Just trying to get an understanding of how one usualy set up AD and 
> DS to work together.
I think that''s how it usually goes.  Perhaps some other folks that are 
doing this will chime in.

freeIPA will soon have support for automatic creation of AD user 
accounts in IPA, including all of the posix and kerberos attributes 
needed for OS login.  See freeipa.org
>  
>
>  
> On 11/7/08, *Rich Megginson* <rmeggins@redhat.com 
> <mailto:rmeggins@redhat.com>> wrote:
>
>     Kenneth Holter wrote:
>
>          I''m not very into fedora/redhat direcoty server (DS), but
>         thought I''d just drop a quick question: It
doesn''t seems like
>         Windows Sync is intended for syncing  AD users to DS so that
>         users defined on AD can be allowed to log into Linux machines.
>
>     I''m not sure what you mean by that.  Do you mean because the
posix
>     attributes are not synced, you cannot create a user in AD that is
>     synced to Fedora DS and Linux machine login "just works" with
no
>     additional work?
>
>         It is possible to get this working, however, through a series
>         of manual steps. So what is the intended purpose for Windows
>         Sync, if I might ask, as it seems a lot simpler just to manage
>         everything directly from DS without syncing with AD?
>
>     I think most people use it to sync passwords, so that you can have
>     the same password on AD as Unix/Linux, and when you change the
>     password on one side, that change is synced to the other side.
>
>           Regards,
>         Kenneth Holter
>
>          On 11/6/08, *Rich Megginson* <rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com>>> wrote:
>
>            Erling Ringen Elvsrud wrote:
>
>                On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
>                <rmeggins@redhat.com <mailto:rmeggins@redhat.com>
>         <mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com>>> wrote:
>                [...]
>                
>                    That should work.  But note that posix attributes
>         will not
>                    sync to AD.  And
>                    even if you did manage to find a posix schema that
>         worked
>                    with AD, and added
>                    the posix schema on the AD side, those attributes would
>                    not be synced to
>                    Fedora DS.
>                      
>
>                Thanks for your answer.
>
>                I start to wonder if Windows sync is worth the trouble.
>         At my
>                site we
>                will probably not implement password sync as the
>         AD-side is very
>                restrictive about installing anything.
>
>            I hear this all the time - AD admins are very touchy about
>            installing anything, especially some piece of random open
>         source
>            software that''s going to intercept clear text passwords
and
>         send
>            them who-knows-where
>
>                So what I get is basically a
>                skeleton that I have to populate with the posixUser
>         attributes.
>
>                Another issue is groups in AD. I suppose those groups
>         will become
>                regular unix-groups on the directory server side,
>
>            Yes.  But note - not posix groups (posixGroup) but plain groups
>            (groupOfUniqueNames)
>
>                which might not
>                be enough for all policing needs (may need netgroups in
>         addition).
>                
>            Sure.
>
>                We will probably have maximum a few hundred users in the
>                directory, do
>                you think Windows-sync is worth the bother?
>                
>            I suggest you take a look at Penrose
>            http://docs.safehaus.org/display/PENROSE/Home
>
>                Erling
>
>                --
>                Fedora-directory-users mailing list
>                Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>                <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>>
>              
>          https://www.redhat.com/mailman/listinfo/fedora-directory-users
>                
>
>            --
>            Fedora-directory-users mailing list
>            Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>            <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>>
>            https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>        
------------------------------------------------------------------------
>
>         --
>         Fedora-directory-users mailing list
>         Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>          
>
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

The IPA documentation states that it ships with (Fedora/Red Hat) Directory
Server. Won''t we get the same sync issues with (free/Red Hat) IPA as
with
Directory Server alone?

And is there a link between IPA and Penrose?


On 11/10/08, Rich Megginson <rmeggins@redhat.com>
wrote:
>
>
> freeIPA will soon have support for automatic creation of AD user accounts
> in IPA, including all of the posix and kerberos attributes needed for OS
> login.  See freeipa.org
>
>

Kenneth Holter wrote:
>  
> The IPA documentation states that it ships with (Fedora/Red Hat) 
> Directory Server. Won''t we get the same sync issues with (free/Red
> Hat) IPA as with Directory Server alone?
No.  IPA winsync (coming Real Soon Now) extends regular DS windows sync 
in a couple of ways:
* AD users synced over to IPA will get the full kerberos and posix (and 
other) schema, including a uidNumber automatically assigned.
* If a user is disabled in AD, that user will be disabled in IPA, and 
vice versa
* There is the ability to force sync - if there is an already existing 
IPA user with the same user id (uid attribute) as an already existing AD 
user (samAccountName attribute) they will be automatically synced - you 
do not have to manually add the ntUser objectclass and ntUserDomainID 
attribute with the samAccountName value to the IPA entry
>  
> And is there a link between IPA and Penrose?
>
>  
> On 11/10/08, *Rich Megginson* <rmeggins@redhat.com 
> <mailto:rmeggins@redhat.com>> wrote:
>
>
>     freeIPA will soon have support for automatic creation of AD user
>     accounts in IPA, including all of the posix and kerberos
>     attributes needed for OS login.  See freeipa.org
<http://freeipa.org/>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Has anyone on the list set up such as scheme for adding posix attributes to
users synced from AD, and would like to comment on this approach?

I''m thinking that maybe running a cron job (for example a couple of
times an
hour) that searches for newly added users, then using "ldapmodify" to
add
the required posix attributes, may be the way to go.


Regards,
Kenneth


On 11/10/08, Rich Megginson <rmeggins@redhat.com>
wrote:
>
> Kenneth Holter wrote:
>
>> Thank you for your reply.
>>  Yes you understood me correctly - I ment it doesn''t seem like
Windows
>> Sync is intended for Linux machine login (via SSH to be precise) to
"just
>> work" with no additional work. I''m sorry that I
wasn''t too clear on this.
>>  Is it so that one usually has a AD/DS setup like this:
>>
>>    * users/passwords are synced from AD to DS
>>    * the new users are exported to ldif file, added things such as
>>      posix attributes, and reimported into DS
>>    * users can now log into linux servers (via SSH) that are properly
>>      configured as LDAP clients
>>
>> ? Just trying to get an understanding of how one usualy set up AD and
DS
>> to work together.
>>
> I think that''s how it usually goes.  Perhaps some other folks that
are
> doing this will chime in.
>
> freeIPA will soon have support for automatic creation of AD user accounts
> in IPA, including all of the posix and kerberos attributes needed for OS
> login.  See freeipa.org
>
>>
>>  On 11/7/08, *Rich Megginson* <rmeggins@redhat.com <mailto:
>> rmeggins@redhat.com>> wrote:
>>
>>    Kenneth Holter wrote:
>>
>>         I''m not very into fedora/redhat direcoty server (DS),
but
>>        thought I''d just drop a quick question: It
doesn''t seems like
>>        Windows Sync is intended for syncing  AD users to DS so that
>>        users defined on AD can be allowed to log into Linux machines.
>>
>>    I''m not sure what you mean by that.  Do you mean because
the posix
>>    attributes are not synced, you cannot create a user in AD that is
>>    synced to Fedora DS and Linux machine login "just works"
with no
>>    additional work?
>>
>>        It is possible to get this working, however, through a series
>>        of manual steps. So what is the intended purpose for Windows
>>        Sync, if I might ask, as it seems a lot simpler just to manage
>>        everything directly from DS without syncing with AD?
>>
>>    I think most people use it to sync passwords, so that you can have
>>    the same password on AD as Unix/Linux, and when you change the
>>    password on one side, that change is synced to the other side.
>>
>>          Regards,
>>        Kenneth Holter
>>
>>         On 11/6/08, *Rich Megginson* <rmeggins@redhat.com
>>        <mailto:rmeggins@redhat.com>
<mailto:rmeggins@redhat.com
>>        <mailto:rmeggins@redhat.com>>> wrote:
>>
>>           Erling Ringen Elvsrud wrote:
>>
>>               On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
>>               <rmeggins@redhat.com
<mailto:rmeggins@redhat.com>
>>        <mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com>>> wrote:
>>               [...]
>>                                 That should work.  But note that posix
>> attributes
>>        will not
>>                   sync to AD.  And
>>                   even if you did manage to find a posix schema that
>>        worked
>>                   with AD, and added
>>                   the posix schema on the AD side, those attributes
would
>>                   not be synced to
>>                   Fedora DS.
>>
>>               Thanks for your answer.
>>
>>               I start to wonder if Windows sync is worth the trouble.
>>        At my
>>               site we
>>               will probably not implement password sync as the
>>        AD-side is very
>>               restrictive about installing anything.
>>
>>           I hear this all the time - AD admins are very touchy about
>>           installing anything, especially some piece of random open
>>        source
>>           software that''s going to intercept clear text
passwords and
>>        send
>>           them who-knows-where
>>
>>               So what I get is basically a
>>               skeleton that I have to populate with the posixUser
>>        attributes.
>>
>>               Another issue is groups in AD. I suppose those groups
>>        will become
>>               regular unix-groups on the directory server side,
>>
>>           Yes.  But note - not posix groups (posixGroup) but plain
groups
>>           (groupOfUniqueNames)
>>
>>               which might not
>>               be enough for all policing needs (may need netgroups in
>>        addition).
>>                         Sure.
>>
>>               We will probably have maximum a few hundred users in the
>>               directory, do
>>               you think Windows-sync is worth the bother?
>>                         I suggest you take a look at Penrose
>>           http://docs.safehaus.org/display/PENROSE/Home
>>
>>               Erling
>>
>>               --
>>               Fedora-directory-users mailing list
>>               Fedora-directory-users@redhat.com
>>        <mailto:Fedora-directory-users@redhat.com>
>>               <mailto:Fedora-directory-users@redhat.com
>>        <mailto:Fedora-directory-users@redhat.com>>
>>
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>           --
>>           Fedora-directory-users mailing list
>>           Fedora-directory-users@redhat.com
>>        <mailto:Fedora-directory-users@redhat.com>
>>           <mailto:Fedora-directory-users@redhat.com
>>        <mailto:Fedora-directory-users@redhat.com>>
>>          
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>> 
------------------------------------------------------------------------
>>
>>        --
>>        Fedora-directory-users mailing list
>>        Fedora-directory-users@redhat.com
>>        <mailto:Fedora-directory-users@redhat.com>
>>        https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>    --
>>    Fedora-directory-users mailing list
>>    Fedora-directory-users@redhat.com
>>    <mailto:Fedora-directory-users@redhat.com>
>>    https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Kenneth Holter wrote:
>  
> Has anyone on the list set up such as scheme for adding posix 
> attributes to users synced from AD, and would like to comment on this 
> approach?
>  
> I''m thinking that maybe running a cron job (for example a couple
of
> times an hour) that searches for newly added users, then using 
> "ldapmodify" to add the required posix attributes, may be the way
to go.
That might work.  There is some documentation about how to poll Active 
Directory for changes to entries:
http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx
and
http://support.microsoft.com/kb/891995

I have a python-ldap script that implements support for the DirSync 
control -
http://github.com/richm/scripts/tree/master/dirsyncctrl.py
>  
>  
> Regards,
> Kenneth
>
>  
> On 11/10/08, *Rich Megginson* <rmeggins@redhat.com 
> <mailto:rmeggins@redhat.com>> wrote:
>
>     Kenneth Holter wrote:
>
>         Thank you for your reply.
>          Yes you understood me correctly - I ment it doesn''t seem
like
>         Windows Sync is intended for Linux machine login (via SSH to
>         be precise) to "just work" with no additional work.
I''m sorry
>         that I wasn''t too clear on this.
>          Is it so that one usually has a AD/DS setup like this:
>
>            * users/passwords are synced from AD to DS
>            * the new users are exported to ldif file, added things such as
>              posix attributes, and reimported into DS
>            * users can now log into linux servers (via SSH) that are
>         properly
>              configured as LDAP clients
>
>         ? Just trying to get an understanding of how one usualy set up
>         AD and DS to work together.
>
>     I think that''s how it usually goes.  Perhaps some other folks
that
>     are doing this will chime in.
>
>     freeIPA will soon have support for automatic creation of AD user
>     accounts in IPA, including all of the posix and kerberos
>     attributes needed for OS login.  See freeipa.org
<http://freeipa.org/>
>
>          
>          On 11/7/08, *Rich Megginson* <rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com>>> wrote:
>
>            Kenneth Holter wrote:
>
>                 I''m not very into fedora/redhat direcoty server
(DS), but
>                thought I''d just drop a quick question: It
doesn''t
>         seems like
>                Windows Sync is intended for syncing  AD users to DS so
>         that
>                users defined on AD can be allowed to log into Linux
>         machines.
>
>            I''m not sure what you mean by that.  Do you mean
because
>         the posix
>            attributes are not synced, you cannot create a user in AD
>         that is
>            synced to Fedora DS and Linux machine login "just
works"
>         with no
>            additional work?
>
>                It is possible to get this working, however, through a
>         series
>                of manual steps. So what is the intended purpose for
>         Windows
>                Sync, if I might ask, as it seems a lot simpler just to
>         manage
>                everything directly from DS without syncing with AD?
>
>            I think most people use it to sync passwords, so that you
>         can have
>            the same password on AD as Unix/Linux, and when you change the
>            password on one side, that change is synced to the other side.
>
>                  Regards,
>                Kenneth Holter
>
>                 On 11/6/08, *Rich Megginson* <rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com>
>                <mailto:rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com>>
<mailto:rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com>
>                <mailto:rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com>>>> wrote:
>
>                   Erling Ringen Elvsrud wrote:
>
>                       On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson
>                       <rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com>>
>                <mailto:rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com>>>> wrote:
>                       [...]
>                                         That should work.  But note
>         that posix attributes
>                will not
>                           sync to AD.  And
>                           even if you did manage to find a posix
>         schema that
>                worked
>                           with AD, and added
>                           the posix schema on the AD side, those
>         attributes would
>                           not be synced to
>                           Fedora DS.
>                            
>                       Thanks for your answer.
>
>                       I start to wonder if Windows sync is worth the
>         trouble.
>                At my
>                       site we
>                       will probably not implement password sync as the
>                AD-side is very
>                       restrictive about installing anything.
>
>                   I hear this all the time - AD admins are very touchy
>         about
>                   installing anything, especially some piece of random
>         open
>                source
>                   software that''s going to intercept clear text
>         passwords and
>                send
>                   them who-knows-where
>
>                       So what I get is basically a
>                       skeleton that I have to populate with the posixUser
>                attributes.
>
>                       Another issue is groups in AD. I suppose those
>         groups
>                will become
>                       regular unix-groups on the directory server side,
>
>                   Yes.  But note - not posix groups (posixGroup) but
>         plain groups
>                   (groupOfUniqueNames)
>
>                       which might not
>                       be enough for all policing needs (may need
>         netgroups in
>                addition).
>                                 Sure.
>
>                       We will probably have maximum a few hundred
>         users in the
>                       directory, do
>                       you think Windows-sync is worth the bother?
>                                 I suggest you take a look at Penrose
>                   http://docs.safehaus.org/display/PENROSE/Home
>
>                       Erling
>
>                       --
>                       Fedora-directory-users mailing list
>                       Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>                <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>>
>                       <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>                <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>>>
>                            
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>                      
>                   --
>                   Fedora-directory-users mailing list
>                   Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>                <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>>
>                   <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>                <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>>>
>                  
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>              
>         
------------------------------------------------------------------------
>
>                --
>                Fedora-directory-users mailing list
>                Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>                <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>>
>              
>          https://www.redhat.com/mailman/listinfo/fedora-directory-users
>                
>
>            --
>            Fedora-directory-users mailing list
>            Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>            <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>>
>            https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>        
------------------------------------------------------------------------
>
>         --
>         Fedora-directory-users mailing list
>         Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>          
>
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Hi.

I may be missing something here, but why not simply search the RHDS for new
entries (i.e. entries which doesn''t have the posix attributes set)
instead
of polling AD? The entries found after such a search are simply added the
required posix (and maybe other) attributes, and then the users is good to
go.


Kenneth


On 11/19/08, Rich Megginson <rmeggins@redhat.com>
wrote:
>
>
>
> That might work.  There is some documentation about how to poll Active
> Directory for changes to entries:
> http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx
> and
> http://support.microsoft.com/kb/891995
>
> I have a python-ldap script that implements support for the DirSync control
> - http://github.com/richm/scripts/tree/master/dirsyncctrl.py