Fedora directory users - Jan 2009 - Do you use WinSync for group sync?

We''re currently investigating the group sync feature of Windows Sync, 
and we wanted to know how it is deployed.  Do you sync groups?  What 
types of groups?  Security or Distribution?  Global or Local?  Do the 
groups have "meaning" in both AD and Fedora DS, or only in one side?

Hi Rich.


I haven''t worked with the WindowsSync feature much myself, so
I''m not sure
about the group type details your requesting. But what we''re working on
is
syncing AD groups over to DS, and use the group member information to build
our own nis netgroups. These netgroups are then used by PAM to authenticate
users.



On 1/27/09, Rich Megginson <rmeggins@redhat.com>
wrote:
>
> We''re currently investigating the group sync feature of Windows
Sync, and
> we wanted to know how it is deployed.  Do you sync groups?  What types of
> groups?  Security or Distribution?  Global or Local?  Do the groups have
> "meaning" in both AD and Fedora DS, or only in one side?
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>

Kenneth Holter wrote:
> Hi Rich.
>  
>  
> I haven''t worked with the WindowsSync feature much myself, so
I''m not
> sure about the group type details your requesting. But what we''re 
> working on is syncing AD groups over to DS, and use the group member 
> information to build our own nis netgroups. These netgroups are then 
> used by PAM to authenticate users.
What are the AD groups used for in AD?  Are they Security Groups or 
Distribution Groups or both?  Are they Global or Local (or Universal)?  
We''re just trying to get a sense of what people use Groups for on both 
sides.
>  
>
>  
> On 1/27/09, *Rich Megginson* <rmeggins@redhat.com 
> <mailto:rmeggins@redhat.com>> wrote:
>
>     We''re currently investigating the group sync feature of
Windows
>     Sync, and we wanted to know how it is deployed.  Do you sync
>     groups?  What types of groups?  Security or Distribution?  Global
>     or Local?  Do the groups have "meaning" in both AD and Fedora
DS,
>     or only in one side?
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Rich Megginson a écrit :
> We''re currently investigating the group sync feature of Windows
Sync,
> and we wanted to know how it is deployed.  Do you sync groups?  What 
> types of groups?  Security or Distribution?  Global or Local?  Do the 
> groups have "meaning" in both AD and Fedora DS, or only in one
side?
Hi,

We are very interested in Windows Sync. We want to share as database 
between AD ans Fedora DS, because both have qualities in our 
environnement. AD is used for domain management (client computers) and 
file sharing (NTFS), indeed AD basic work.
We also need a "real LDAP" (RFC compliant, opensource, easy to modify 
structure, etc...) for compatibility with the OpenSource environment, 
authentification and directory.

Fedora/RedHat directory seems to be the best way for use with windows 
sync. Howerver, this functionnality is quite difficult to configure 
(essentially for password) and field matching between AD and FDS should 
be more opened. I mean Windows Sync should be perfect is thoses 
additionnal function were implemented :
* choose matching between AD and FDS fileds (eq mail with kerberos 
login, sn and givenname with MS specific ones)
* sync sub trees with much more precision (eq sync 
ou=users,ou=microsoft,dc=europe,dc=priv with 
ou=people,dc=microsoft,dc=example,dc=fr)

For group sync we should use security groups, with global type. In fact, 
windows groups are used for file rights management and security, like 
posix group in unix, and for global authorization like roles.

is Windows sync going to be enhanced ?

br,
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-- 
=========================================Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d''Information (DSI)
tél : 02 38 49 95 88
==========================================

Emmanuel BILLOT wrote:
> Rich Megginson a écrit :
>> We''re currently investigating the group sync feature of
Windows Sync,
>> and we wanted to know how it is deployed.  Do you sync groups?  What 
>> types of groups?  Security or Distribution?  Global or Local?  Do the 
>> groups have "meaning" in both AD and Fedora DS, or only in
one side?
> Hi,
>
> We are very interested in Windows Sync. We want to share as database 
> between AD ans Fedora DS, because both have qualities in our 
> environnement. AD is used for domain management (client computers) and 
> file sharing (NTFS), indeed AD basic work.
> We also need a "real LDAP" (RFC compliant, opensource, easy to
modify
> structure, etc...) for compatibility with the OpenSource environment, 
> authentification and directory.
>
> Fedora/RedHat directory seems to be the best way for use with windows 
> sync. Howerver, this functionnality is quite difficult to configure 
> (essentially for password) and field matching between AD and FDS 
> should be more opened. I mean Windows Sync should be perfect is thoses 
> additionnal function were implemented :
> * choose matching between AD and FDS fileds (eq mail with kerberos 
> login, sn and givenname with MS specific ones)
> * sync sub trees with much more precision (eq sync 
> ou=users,ou=microsoft,dc=europe,dc=priv with 
> ou=people,dc=microsoft,dc=example,dc=fr)
>
> For group sync we should use security groups, with global type. In 
> fact, windows groups are used for file rights management and security, 
> like posix group in unix, and for global authorization like roles.
So in AD, you use Security Groups, and you use them for access
control.
>
> is Windows sync going to be enhanced ?
No.  Windows Sync is only for the bare minimum user/group/password 
sync.  If you need to do more than that, I suggest you look at Penrose 
Virtual Directory -
http://docs.safehaus.org/display/PENROSE/Home
>
> br,
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
>

Hi. Sorry for the late response.

They AD-groups are global security groups. We''ve not quite decided on
whether to use existing AD-groups or create new ones aimed at the linux
environment.


On 1/29/09, Rich Megginson <rmeggins@redhat.com>
wrote:
>
> Kenneth Holter wrote:
>
>> Hi Rich.
>>   I haven''t worked with the WindowsSync feature much myself,
so I''m not
>> sure about the group type details your requesting. But what
we''re working on
>> is syncing AD groups over to DS, and use the group member information
to
>> build our own nis netgroups. These netgroups are then used by PAM to
>> authenticate users.
>>
> What are the AD groups used for in AD?  Are they Security Groups or
> Distribution Groups or both?  Are they Global or Local (or Universal)?
>  We''re just trying to get a sense of what people use Groups for on
both
> sides.
>
>>
>>  On 1/27/09, *Rich Megginson* <rmeggins@redhat.com <mailto:
>> rmeggins@redhat.com>> wrote:
>>
>>    We''re currently investigating the group sync feature of
Windows
>>    Sync, and we wanted to know how it is deployed.  Do you sync
>>    groups?  What types of groups?  Security or Distribution?  Global
>>    or Local?  Do the groups have "meaning" in both AD and
Fedora DS,
>>    or only in one side?
>>
>>    --
>>    Fedora-directory-users mailing list
>>    Fedora-directory-users@redhat.com
>>    <mailto:Fedora-directory-users@redhat.com>
>>    https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>

Kenneth Holter wrote:
> Hi. Sorry for the late response.
>  
> They AD-groups are global security groups. We''ve not quite decided
on
> whether to use existing AD-groups or create new ones aimed at the 
> linux environment.
I don''t know if security groups will sync correctly.  When you create a
group in DS that you want to sync to AD, it will be created as a 
distribution group.
>
>  
> On 1/29/09, *Rich Megginson* <rmeggins@redhat.com 
> <mailto:rmeggins@redhat.com>> wrote:
>
>     Kenneth Holter wrote:
>
>         Hi Rich.
>           I haven''t worked with the WindowsSync feature much
myself,
>         so I''m not sure about the group type details your
requesting.
>         But what we''re working on is syncing AD groups over to DS,
and
>         use the group member information to build our own nis
>         netgroups. These netgroups are then used by PAM to
>         authenticate users.
>
>     What are the AD groups used for in AD?  Are they Security Groups
>     or Distribution Groups or both?  Are they Global or Local (or
>     Universal)?  We''re just trying to get a sense of what people
use
>     Groups for on both sides.
>
>          
>          On 1/27/09, *Rich Megginson* <rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com
>         <mailto:rmeggins@redhat.com>>> wrote:
>
>            We''re currently investigating the group sync feature of
Windows
>            Sync, and we wanted to know how it is deployed.  Do you sync
>            groups?  What types of groups?  Security or Distribution?
>          Global
>            or Local?  Do the groups have "meaning" in both AD and
>         Fedora DS,
>            or only in one side?
>
>            --
>            Fedora-directory-users mailing list
>            Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>            <mailto:Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>>
>            https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>        
------------------------------------------------------------------------
>
>         --
>         Fedora-directory-users mailing list
>         Fedora-directory-users@redhat.com
>         <mailto:Fedora-directory-users@redhat.com>
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>          
>
>
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I see.  We''re aiming at having all users and groups created on the AD
side
in the first place, so hopefully this will not be an issue.

Thanks for the info anyway - we''ll take this into account while
designing
our setup.


On 2/5/09, Rich Megginson <rmeggins@redhat.com>
wrote:
>
> Kenneth Holter wrote:
>
>> Hi. Sorry for the late response.
>>  They AD-groups are global security groups. We''ve not quite
decided on
>> whether to use existing AD-groups or create new ones aimed at the linux
>> environment.
>>
> I don''t know if security groups will sync correctly.  When you
create a
> group in DS that you want to sync to AD, it will be created as a
> distribution group.
>
>>
>>  On 1/29/09, *Rich Megginson* <rmeggins@redhat.com <mailto:
>> rmeggins@redhat.com>> wrote:
>>
>>    Kenneth Holter wrote:
>>
>>        Hi Rich.
>>          I haven''t worked with the WindowsSync feature much
myself,
>>        so I''m not sure about the group type details your
requesting.
>>        But what we''re working on is syncing AD groups over to
DS, and
>>        use the group member information to build our own nis
>>        netgroups. These netgroups are then used by PAM to
>>        authenticate users.
>>
>>    What are the AD groups used for in AD?  Are they Security Groups
>>    or Distribution Groups or both?  Are they Global or Local (or
>>    Universal)?  We''re just trying to get a sense of what
people use
>>    Groups for on both sides.
>>
>>                 On 1/27/09, *Rich Megginson* <rmeggins@redhat.com
>>        <mailto:rmeggins@redhat.com>
<mailto:rmeggins@redhat.com
>>        <mailto:rmeggins@redhat.com>>> wrote:
>>
>>           We''re currently investigating the group sync feature
of Windows
>>           Sync, and we wanted to know how it is deployed.  Do you sync
>>           groups?  What types of groups?  Security or Distribution?
>>         Global
>>           or Local?  Do the groups have "meaning" in both AD
and
>>        Fedora DS,
>>           or only in one side?
>>
>>           --
>>           Fedora-directory-users mailing list
>>           Fedora-directory-users@redhat.com
>>        <mailto:Fedora-directory-users@redhat.com>
>>           <mailto:Fedora-directory-users@redhat.com
>>        <mailto:Fedora-directory-users@redhat.com>>
>>          
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>> 
------------------------------------------------------------------------
>>
>>        --
>>        Fedora-directory-users mailing list
>>        Fedora-directory-users@redhat.com
>>        <mailto:Fedora-directory-users@redhat.com>
>>        https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>    --
>>    Fedora-directory-users mailing list
>>    Fedora-directory-users@redhat.com
>>    <mailto:Fedora-directory-users@redhat.com>
>>    https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>