> Even when IPA implement GC support, nothing will change: by default any user 
> that has no explicit 
> permission in ACLs, gets what is given to all authenticated users, i.e. 
> default read access. When GC 
> is there all that will change is that there will be ability to resolve IPA 
> users on AD side, thus allowing 
> AD users to assign specific permissions to IPA users.

Agreed.  That's close to word for word what I told them.  However, the 
perception that Windows AD trusts Linux IPA scares them, even though Windows 
admins still have total control over who can see what in their environment.  
It's all perception because Linux is foreign and Windows is well known on that 
side of the fence.  Something to keep in mind when you build it.  Perception 
drives lots of decisions and they're not always rational.  Meantime, I can 
probably find some Microsoft documentation about what trusts really mean that 
might make them more comfortable. 

- Greg


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to