On Mon, 2011-11-21 at 11:55 -0500, Dmitri Pal wrote: > On 11/21/2011 11:48 AM, David Juran wrote: > > Hello. > > > > I have a customer who is using nisNetgroups in microsoft Active > > Directory to keep track of which users are allowed to access which > > services. I've understood that IPA today does not sync this information > > from AD, is this correct? > > > > What about the future, once we can have trust towards an AD? Would that > > allow us to use the nisNet groups in AD for HBAC and sudo? > > Trusts would not help with netgroups. > I wonder if it is something that can be done via a client > configuration. > > But also why not move netgroups into IPA? Dumping the data into LDIF, > creating a script to convert it to IPA internal netgroups format and > loading it is not a huge effort.
That is certainly the approach I will recommend but I suspect part of the problem is that the internal tool that the customer uses for the approval process (i.e. the process where someone approves that user foo should get added to group bar) knows how to communicate with AD but not how to talk to IPA. But if it comes to this, I guess it would be possible to do a regular sync, i.e. dump the LDIF from AD and import it into IPA on a regular basis. In any case, thank you for the answer. -- David Juran Sr. Consultant Red Hat +46-725-345801
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users