Alex Davies
2008-Apr-30 08:34 UTC
[Fedora-directory-users] FDS <-> AD: UID/GID and OU sync
Hi All, We have an AD architecture setup, and are looking to sync FDS with this to allow us to authenticate Linux machines and network devices. We have two AD domains, and have a winsync and passsync setup with one of the domain controllers in each domain. This works, subject to the limitation that we have to manually create each OU. Once we create the OU in FDS, the users appear at the next sync. Question 1: is it possible to automatically sync *all* OU''s, including creating the OU in FDS if it does not exist? We have hundreds of OUs, and I don''t want to have to create them all manually. Question 2 is on UNIX UID/GID sync from AD. I''ve found a couple of posts which imply that it is not possible to sync UID/GUD from AD[1], but this was some time ago. An alternative piece of documentation suggests that it is, but provides no details[2]. I''m also struggling to find documentation on the libdna plugin, which I believe is involved[3]. My questions are - Is it possible to sync UID/GID from AD (where AD has the Unix Tools installed, and therefore has these attributes in the schema). - Is it possible to automatically apply a unique UID/GID to each user that does not have a UID/GID? Any help/pointers greatly appreciated. Many thanks, Alex [1] http://www.redhat.com/archives/fedora-directory-users/2007-February/msg00111.html [2] "Fedora DS gets posix/unix automatic uid generation (February 08, 2007) The cvs head now contains a new feature for automatic generation of sequenced numbers which is compatible with multi-master replication environments. This feature can be used for automatic generation of posix uidNumber and gidNumber in addition to other sequenced numeric attributes required by your deployment. " http://directory.fedoraproject.org/ [3] About the only referenceI can find: http://www.redhat.com/archives/fedora-directory-users/2008-January/msg00081.html
Rich Megginson
2008-Apr-30 14:27 UTC
Re: [Fedora-directory-users] FDS <-> AD: UID/GID and OU sync
Alex Davies wrote:> Hi All, > > We have an AD architecture setup, and are looking to sync FDS with > this to allow us to authenticate Linux machines and network devices. > > We have two AD domains, and have a winsync and passsync setup with one > of the domain controllers in each domain. This works, subject to the > limitation that we have to manually create each OU. Once we create the > OU in FDS, the users appear at the next sync. Question 1: is it > possible to automatically sync *all* OU''s, including creating the OU > in FDS if it does not exist? We have hundreds of OUs, and I don''t want > to have to create them all manually. >Not sure. But I suppose it could be scripted if the init AD sync process does not create them.> Question 2 is on UNIX UID/GID sync from AD. I''ve found a couple of > posts which imply that it is not possible to sync UID/GUD from AD[1], >That is correct.> but this was some time ago. An alternative piece of documentation > suggests that it is,but provides no details[2].It just says that you can have the directory server automatically assign uidNumber and gidNumber. It doesn''t say anything about AD sync.> I''m also struggling > to find documentation on the libdna plugin, which I believe is > involved[3]. >We''re working on it.> My questions are > - Is it possible to sync UID/GID from AD (where AD has the Unix Tools > installed, and therefore has these attributes in the schema). >No, not yet. We have to add support for the posix schema to our AD sync mechanism. This is on the roadmap.> - Is it possible to automatically apply a unique UID/GID to each user > that does not have a UID/GID? >Not after the fact. You''ll have to write a script to do that.> Any help/pointers greatly appreciated. > > Many thanks, > > Alex > > > [1] http://www.redhat.com/archives/fedora-directory-users/2007-February/msg00111.html > [2] "Fedora DS gets posix/unix automatic uid generation (February 08, 2007) > The cvs head now contains a new feature for automatic generation of > sequenced numbers which is compatible with multi-master replication > environments. This feature can be used for automatic generation of > posix uidNumber and gidNumber in addition to other sequenced numeric > attributes required by your deployment. " > http://directory.fedoraproject.org/ > [3] About the only referenceI can find: > http://www.redhat.com/archives/fedora-directory-users/2008-January/msg00081.html > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Alex Davies
2008-Apr-30 15:05 UTC
Re: [Fedora-directory-users] FDS <-> AD: UID/GID and OU sync
Many thanks for your replies Rich! I look forward to those features appearing... On Wed, Apr 30, 2008 at 4:27 PM, Rich Megginson <rmeggins@redhat.com> wrote:> Alex Davies wrote: > > > Hi All, > > > > We have an AD architecture setup, and are looking to sync FDS with > > this to allow us to authenticate Linux machines and network devices. > > > > We have two AD domains, and have a winsync and passsync setup with one > > of the domain controllers in each domain. This works, subject to the > > limitation that we have to manually create each OU. Once we create the > > OU in FDS, the users appear at the next sync. Question 1: is it > > possible to automatically sync *all* OU''s, including creating the OU > > in FDS if it does not exist? We have hundreds of OUs, and I don''t want > > to have to create them all manually. > > > > > Not sure. But I suppose it could be scripted if the init AD sync process > does not create them. > > > > Question 2 is on UNIX UID/GID sync from AD. I''ve found a couple of > > posts which imply that it is not possible to sync UID/GUD from AD[1], > > > > > That is correct. > > > > but this was some time ago. An alternative piece of documentation > > suggests that it is,but provides no details[2]. > > > It just says that you can have the directory server automatically assign > uidNumber and gidNumber. It doesn''t say anything about AD sync. > > > > I''m also struggling > > to find documentation on the libdna plugin, which I believe is > > involved[3]. > > > > > We''re working on it. > > > > My questions are > > - Is it possible to sync UID/GID from AD (where AD has the Unix Tools > > installed, and therefore has these attributes in the schema). > > > > > No, not yet. We have to add support for the posix schema to our AD sync > mechanism. This is on the roadmap. > > > > - Is it possible to automatically apply a unique UID/GID to each user > > that does not have a UID/GID? > > > > > Not after the fact. You''ll have to write a script to do that. > > > > > Any help/pointers greatly appreciated. > > > > Many thanks, > > > > Alex > > > > > > [1] > http://www.redhat.com/archives/fedora-directory-users/2007-February/msg00111.html > > [2] "Fedora DS gets posix/unix automatic uid generation (February 08, > 2007) > > The cvs head now contains a new feature for automatic generation of > > sequenced numbers which is compatible with multi-master replication > > environments. This feature can be used for automatic generation of > > posix uidNumber and gidNumber in addition to other sequenced numeric > > attributes required by your deployment. " > > http://directory.fedoraproject.org/ > > [3] About the only referenceI can find: > > > http://www.redhat.com/archives/fedora-directory-users/2008-January/msg00081.html > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- Alex Davies This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately by e-mail and delete this e-mail permanently.
Wilmer Jaramillo M.
2008-Jun-12 02:19 UTC
Re: [Fedora-directory-users] FDS <-> AD: UID/GID and OU sync
2008/5/1 Alex Davies <alex@davz.net>:> Hi All, > > We have an AD architecture setup, and are looking to sync FDS with > this to allow us to authenticate Linux machines and network devices. > > We have two AD domains, and have a winsync and passsync setup with one > of the domain controllers in each domain. This works, subject to the > limitation that we have to manually create each OU. Once we create the > OU in FDS, the users appear at the next sync. Question 1: is it > possible to automatically sync *all* OU''s, including creating the OU > in FDS if it does not exist? We have hundreds of OUs, and I don''t want > to have to create them all manually.For records, maybe you can use my perl scripts for that. First for search all OU''s automatically in a MS ADS: http://wilmer.fedorapeople.org/scripts/ouSearch.pl> Question 2 is on UNIX UID/GID sync from AD. I''ve found a couple of > posts which imply that it is not possible to sync UID/GUD from AD[1], > but this was some time ago. An alternative piece of documentation > suggests that it is, but provides no details[2]. I''m also struggling > to find documentation on the libdna plugin, which I believe is > involved[3].> My questions are > - Is it possible to sync UID/GID from AD (where AD has the Unix Tools > installed, and therefore has these attributes in the schema). > - Is it possible to automatically apply a unique UID/GID to each user > that does not have a UID/GID?Once imported the list of OU''s, the users can be imported into FDS and create uid/gid automatically with: http://wilmer.fedorapeople.org/scripts/ads2fds.pl -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A