On 05/31/2013 08:39 AM, rashard.ke...@sita.aero wrote: > I am working on a team to plan a migration to IPA on our UNIX based > systems. One thing I was seeking information on is Computer groups. If > a trust is established with our campus AD infrasturcture, will its > computer groups be shared with IPA or just users? > > If computer groups are transferred to host groups this will make > managing permissions easier without having to recreate all the groups > on the IPA side > > I could not find any info in this document > _http://www.freeipa.org/page/IPAv3_testing_AD_trust_.If someone could > point me to some documentation about the subject it would be really > helpful. >
IPA does not share or transfer host groups from AD and it is conceptually does not make sense since. The systems managed by AD and the systems managed by IPA are in our view completely no overlapping sets of systems. Can you please share your reasoning why it is something that makes sense to have? So far our view of the world was that AD manages Windows systems and groupings and polices around those while IPA does the same for Linux systems. > > Thank You, > *Rashard Kelly** > S*enior Linux Specialist > > > > > From: Martin Kosek <mko...@redhat.com> > To: Sumit Bose <sb...@redhat.com> > Cc: freeipa-users@redhat.com > Date: 05/31/2013 06:41 AM > Subject: Re: [Freeipa-users] IPA & AD trust question > Sent by: freeipa-users-boun...@redhat.com > ------------------------------------------------------------------------ > > > > On 05/31/2013 09:37 AM, Sumit Bose wrote: > > On Fri, May 31, 2013 at 06:52:27AM +0000, Ondrej Valousek wrote: > >> Hi List, > >> > >> I have a question - is it possible to use AD trust the way that: > >> 1. All users are stored in AD > >> 2. All Unix specific information (automount maps, sudo rules, HBAC > rules) are stored in IPA? > > > > Yes, sudo and HBAC for sure, I haven't tested automount maps but so far > > I can see no issues. > > > >> > >> If yes then: > >> 1. Will this scenario honour the RFC2307 user attributes in AD? > > > > We are trying to support RFC2307 attributes in AD with the next releases > > for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the > > AD user's RID is available. > > Ondreji, this is by the way the upstream ticket under which this > feature is > being implemented (in case you want to follow it): > > https://fedorahosted.org/freeipa/ticket/2904 > > There are other tickets targeted on AD cooperation in FreeIPA 3.3 release > (https://fedorahosted.org/freeipa/report/3), you may also want to > check that > they address your needs (and provide comments if they don't). We are > still in a > design phase, so some amendments are possible. > > Thanks, > Martin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > See you at the 2013 Air Transport IT Summit, Brussels, 18-20 June. > > Click here to register > <http://www.sita.aero/microsites/air-transport-it-summit-2013/registration> > > > This document is strictly confidential and intended only for use by > the addressee unless otherwise stated. If you are not the intended > recipient, please notify the sender immediately and delete it from > your system. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
