On 02/15/2012 02:39 AM, David Juran wrote:
> On tis, 2012-02-14 at 17:50 -0500, Rob Crittenden wrote:
>>>> I don't think so, but can you provide some examples?
>>> If I understand the customers use-case correctly (and this is quite a
>>> disclaimer) they have _most_ of their users in one sub-tree in AD but
>>> also some users spread out all over the AD.
>>> So I gather that I really should sync the entire AD. Or that I
>>> _possibly_ could specify multiple sub-trees to sync, but still only on a
>>> subtree level and not individual users to sync. Or that I really should
>>> wait for the trust-to-AD feature to be ready... Is that correct?
>> How would they identify which users they would want sync'd? Is this
>> something we'd be able to build a filter on (not that we actually
>> provide a configurable filter right now)?
> I'll check that, but won't all of this become moot once we can trust an
> AD domain?
> If this filtering would become a show-stopper I'll get back to you, but
> if schedule permits, I'd rather wait for the trust feature rather then
> develop a new feature for this.
If you are seriously considering trust solution - great. The only advice
I want to give is to think about how the final solution based on trusts
would look like. Then look at what you have and try to develop
procedures that would bring you from where you are to where you want to
be. There might be some "aha" moments there as trust solution would work
with latest SSSD and IPA but the older versions of Fedora/RHEL or other
platforms would not be able to participate so you need to think how to
deal with that scenario.
Also if you come across some problems and/or ideas please do not
hesitate to share. May be there is something we can do tomake the
migration smoother but we need to understand the issues first.
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list