On 02/13/2013 08:10 AM, Rob Crittenden wrote:
Dag Wieers wrote:

We are investigating whether IPA is an acceptable solution for our
environment. One of the aspects that is not clear (from reading the
documentation and testing it without AD) is whether the synchronization
with AD can be limited to a subset.

Since we would like to only synchronize certain user-accounts
(conforming to a specific format) from AD unidirectionally, and we also
want to manage functional/technical accounts on IPA, we need to make
sure that we:

  - can filter the stuff we pull from AD

You can set the subtree to use, I'm not sure if you can supply a filter to the winsync agreement. Rich?

No, this is an RFE

This trac report gives a pretty good idea of the limitations of 389 winsync:

see especially

- can avoid the synchronisation to remove other accounts managed in IPA

I don't understand the question. You don't want the winsync agreement to affect IPA-specific users? That works.

Can someone confirm that this is possible ? Is there any indepth
information on how this AD sycnhronization works (preferably about RHEL6
IPA) ?

Not beyond what is in the 389-ds-base and IPA documentation. There might be some additional information on the 389-ds wiki.

What would you like to know?

Also since we also require compatibility with Solaris, and roles (RBAC)
is currently used on Solaris, does IPA support RBAC on Solaris ? (We
noticed that RBAC mentioned in the IPA web interface only relates to IPA

No, IPA doesn't support RBAC on Solaris.


Freeipa-users mailing list

Reply via email to