Hi, I will ask....
regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [[email protected]] Sent: Thursday, 26 July 2012 12:28 p.m. To: Steven Jones Cc: [email protected] Subject: Re: [Freeipa-users] winsync msi On 07/25/2012 06:11 PM, Steven Jones wrote: > Hi, > > From a RH support case as I dont have access to the RDS channel. We just updated the RHEL 6.3 downloads to have the RedHat-PassSync .msi files. > > No, its doesn't allay my Windows and security ppls concerns.... I was speaking specifically about your original concerns: "No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability." Does the fact that you are now getting a Red Hat branded binary from an official Red Hat download site allay these particular fears? > > http://port389.org/wiki/Download > > "This is an Active Directory "plug-in" that intercepts password changes made > to AD and sends the clear text password to 389 DS to keep the passwords in > sync (when using the Windows Sync feature of 389 DS). > > Tested with Windows 2008 and 2003 Server 32-bit and 64-bit. " "This is an Active Directory "plug-in" that intercepts password changes made to AD Domain Controllers and sends the clear text password over an encrypted connection (SSL/TLS) to 389 DS to keep the passwords in sync. It works in conjunction with the Windows Sync feature of 389. You must install this on every Domain Controller. " Better? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [[email protected]] > Sent: Thursday, 26 July 2012 11:59 a.m. > To: Steven Jones > Cc: [email protected] > Subject: Re: [Freeipa-users] winsync msi > > On 07/25/2012 02:41 PM, Steven Jones wrote: >> Hi, >> >> Ah ok, I have the "official" one. > From where did you get it? And does it allay your concerns? > >> One thing on the free site, it says the password is transmitted as clear >> text, no mention of over an encrypted secure channel....the security guys >> had a fit.....so if you update that web page it would help the cause. > Which page is that? The Howto:WindowsSync? > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rich Megginson [[email protected]] >> Sent: Thursday, 26 July 2012 1:58 a.m. >> To: Steven Jones >> Cc: [email protected] >> Subject: Re: [Freeipa-users] winsync msi >> >> On 07/24/2012 03:15 PM, Steven Jones wrote: >>> Hi Rich, >>> >>> I can appreciate what you are saying, but.... >>> >>> Not on Windows but specifically AD, the very core of our 21,000+ user base, >>> that makes such an add on significant and gets focus. What we have seen >>> with another similar (yes, commercial) MSI was a clash with another MSI >>> added to AD, the result was not pretty....hence the Windows ppl are very >>> careful when something like this is proposed. >>> >>> So actually some sites where this has been installed commercially would be >>> good, if need be I can raise a call to RH support? or RH NZ rep to get that >>> info in confidence / NDA. >>> >>> IPA like AD is not just another application, its at the very centre of >>> everything. For us it will be the second or third most important system we >>> have. It will probably connect us to ppl across the world and them to us >>> (via federation/shibboleth) let alone our internal user base. >>> >>> Lets see if I can show this, so 99.9% uptime on an application is 9 hours >>> off line per year.....per user.....say 100 users? >>> >>> So 1 hour off line in a business day with 21,000+ users.....21,000 hours >>> lost plus all the meetings on why and how to make sure it wont happen >>> again. If we were down for say a day or two....it would be in the IT if >>> not National papers....(yes OK NZ is small)....I think my new occupation >>> and some of the managers would be....road sweeping.....this makes them very >>> risk adverse. >>> >>> Crazy thing of course is, yes IPA is free....... >>> >>> ;] >>> >>> I can appreciate things seem very strange in that context. Consider that >>> its taken me 7 years to go from being employed specifically long enough to >>> get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having >>> 100 RHEL servers with most of the mission critical things on them.....all >>> down to the quality of open source really......proof is in the >>> eating....its proven very tasty...... >> Ok. If you are a Red Hat paying customer, you should get the >> RedHat-PassSync .msi from an official Red Hat channel. We are working >> on addressing this issue. >>> :) >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: Rich Megginson [[email protected]] >>> Sent: Wednesday, 25 July 2012 2:54 a.m. >>> To: Steven Jones >>> Cc: [email protected] >>> Subject: Re: [Freeipa-users] winsync msi >>> >>> On 07/23/2012 06:32 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> No not specific developers but some sort of statement of ownership from >>>> RedHat I suppose. So they are I assume looking for some sort of confidence >>>> that it wont trash AD and if I install it and it does trash our AD some >>>> liability. >>> Can you point me at another open source project that provides Windows >>> binaries that provides some sort of guarantee or statement or >>> documentation like this? I'd like to see what other projects do and >>> provide something similar. >>> >>> Or is this the first (and only?) time anyone in your organization has >>> ever installed any open source software on Windows? >>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ________________________________________ >>>> From: Rich Megginson [[email protected]] >>>> Sent: Tuesday, 24 July 2012 12:11 p.m. >>>> To: Steven Jones >>>> Cc: [email protected] >>>> Subject: Re: [Freeipa-users] winsync msi >>>> >>>> On 07/23/2012 05:38 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> For the winsync agreement my Windows and security teams want to know its >>>>> details, >>>>> >>>>> eg who wrote it, >>>> Red Hat - do you need to know the names of the developers? >>>> >>>>> it is Microsoft certified etc. >>>> Not that I know of - how would one go about doing that? >>>>> Where will I find such info? >>>>> >>>>> All I have is >>>>> >>>>> http://port389.org/wiki/Download >>>>> >>>>> Which doesn't tell me much. >>>> There is more info in the actual .msi file. >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> [email protected] >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
