On 02/25/2015 02:15 PM, Hugh wrote:
On 2/25/2015 12:50 PM, Dmitri Pal wrote:
Will all users created via IPA interface synched to AD?
Is there any harm to make all users be created with the attributes
mentioned earlier in this thread?

Almost all. We have some users that will be role accounts for various
pieces of software. It's fine with me if all users by default get those
attributes and for those that shouldn't we can manually go back and
remove the object/attributes.


I think you can start with adding ntUser object class into the list of the object classes in the IPA configuration in UI. That would apply it to the new entries automatically. If that does not work it is probably a bug. If it works you will have the object class right there.

Next step is creating attributes
- ntUserDomainId - I wonder whether it can be auto-populated using managed entry or CoS configuration in DS. If that works it will be a config change rather than a code change which means it will survive upgrades (most likely). - ntUserCreateNewAccount - should be set to true AFAIU and I wonder if it can be set to true using same managed entry or CoS mechanism.

I am not saying that would work but that might work and would avoid doing code changes. If you willing to do code changes than it should be possible to just update the user plugin to autopopulate the entries with these attributes. But that would definitely blow up during upgrade.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to