On 11/22/2011 08:45 AM, David Juran wrote:
> On Mon, 2011-11-21 at 11:55 -0500, Dmitri Pal wrote:
>> On 11/21/2011 11:48 AM, David Juran wrote:
>>> I have a customer who is using nisNetgroups in microsoft Active
>>> Directory to keep track of which users are allowed to access which
>>> services. I've understood that IPA today does not sync this information
>>> from AD, is this correct?
>>> What about the future, once we can have trust towards an AD? Would that
>>> allow us to use the nisNet groups in AD for HBAC and sudo?
>> Trusts would not help with netgroups.
>> I wonder if it is something that can be done via a client
>> But also why not move netgroups into IPA? Dumping the data into LDIF,
>> creating a script to convert it to IPA internal netgroups format and
>> loading it is not a huge effort.
> That is certainly the approach I will recommend but I suspect part of
> the problem is that the internal tool that the customer uses for the
> approval process (i.e. the process where someone approves that user foo
> should get added to group bar) knows how to communicate with AD but not
> how to talk to IPA. But if it comes to this, I guess it would be
> possible to do a regular sync, i.e. dump the LDIF from AD and import it
> into IPA on a regular basis.
> In any case, thank you for the answer.
I doubt that there is something specific. Netgroup schema is a standard
I suspect that AD uses this schema and the client software just uses
LDAP client connection to get this info.
So in general case it should be the question of pointing the LDAP search
to a different server.
Of cause if the client software has some AD related assumptions like
base DN hardcoded then there will be a problem but app developers
learned this lesson more than 10 years ago so I hope this is not the case.
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list