Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-14 Thread Rich Megginson

On 02/14/2012 07:18 AM, David Juran wrote:

Hello!

On fre, 2012-02-10 at 08:28 -0700, Rich Megginson wrote:

On 02/10/2012 04:01 AM, David Juran wrote:

I wonder if it's somehow possible to sync AD-users more selectively then
just by sub-tree. In my case, I'm dealing with a very large organisation
where the users that are to be synced to IPA aren't grouped by a subtree
in AD but rather spread out. Can this be handled somehow?


I don't think so, but can you provide some examples?

If I understand the customers use-case correctly (and this is quite a
disclaimer) they have _most_ of their users in one sub-tree in AD but
also some users spread out all over the AD.
  So I gather that I really should sync the entire AD. Or that I
_possibly_ could specify multiple sub-trees to sync, but still only on a
subtree level and not individual users to sync. Or that I really should
wait for the trust-to-AD feature to be ready... Is that correct?

You could try syncing several subtrees from AD to IPA.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-14 Thread Rob Crittenden

David Juran wrote:

Hello!

On fre, 2012-02-10 at 08:28 -0700, Rich Megginson wrote:

On 02/10/2012 04:01 AM, David Juran wrote:



I wonder if it's somehow possible to sync AD-users more selectively then
just by sub-tree. In my case, I'm dealing with a very large organisation
where the users that are to be synced to IPA aren't grouped by a subtree
in AD but rather spread out. Can this be handled somehow?


I don't think so, but can you provide some examples?


If I understand the customers use-case correctly (and this is quite a
disclaimer) they have _most_ of their users in one sub-tree in AD but
also some users spread out all over the AD.
  So I gather that I really should sync the entire AD. Or that I
_possibly_ could specify multiple sub-trees to sync, but still only on a
subtree level and not individual users to sync. Or that I really should
wait for the trust-to-AD feature to be ready... Is that correct?


How would they identify which users they would want sync'd? Is this 
something we'd be able to build a filter on (not that we actually 
provide a configurable filter right now)?


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-14 Thread David Juran
On tis, 2012-02-14 at 17:50 -0500, Rob Crittenden wrote:

 
  I don't think so, but can you provide some examples?
 
  If I understand the customers use-case correctly (and this is quite a
  disclaimer) they have _most_ of their users in one sub-tree in AD but
  also some users spread out all over the AD.
So I gather that I really should sync the entire AD. Or that I
  _possibly_ could specify multiple sub-trees to sync, but still only on a
  subtree level and not individual users to sync. Or that I really should
  wait for the trust-to-AD feature to be ready... Is that correct?
 
 How would they identify which users they would want sync'd? Is this 
 something we'd be able to build a filter on (not that we actually 
 provide a configurable filter right now)?

I'll check that, but won't all of this become moot once we can trust an
AD domain? 
If this filtering would become a show-stopper I'll get back to you, but
if schedule permits, I'd rather wait for the trust feature rather then
develop a new feature for this.

-- 
David Juran
Sr. Consultant
Red Hat
+46-725-345801


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-10 Thread Rich Megginson

On 02/10/2012 04:01 AM, David Juran wrote:

Hello

I wonder if it's somehow possible to sync AD-users more selectively then
just by sub-tree. In my case, I'm dealing with a very large organisation
where the users that are to be synced to IPA aren't grouped by a subtree
in AD but rather spread out. Can this be handled somehow?


I don't think so, but can you provide some examples?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-10 Thread Rich Megginson

On 02/10/2012 11:41 AM, Dmitri Pal wrote:

On 02/10/2012 10:28 AM, Rich Megginson wrote:

On 02/10/2012 04:01 AM, David Juran wrote:

Hello

I wonder if it's somehow possible to sync AD-users more selectively then
just by sub-tree. In my case, I'm dealing with a very large organisation
where the users that are to be synced to IPA aren't grouped by a subtree
in AD but rather spread out. Can this be handled somehow?


I don't think so, but can you provide some examples?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Rich, can one create two different winsync agreements that use different
sub trees on the AD side?
Yes, if they also use two different sub trees on the IPA side.  
Otherwise, you have two different winsync agreements covering the same 
ipa subtree - I have no idea what would happen.

If there anything that would prevent it to
work? May be it should be done from 2 IPA replicas?
You might still have problems with that scenario, just delayed.  That 
is, the ipa subtree is the same on both replicas, so you still have the 
same problem, just delayed by the speed of replication.


The only way to know for sure would be to get some concrete examples, 
then try it out.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-10 Thread Dmitri Pal
On 02/10/2012 01:46 PM, Rich Megginson wrote:
 On 02/10/2012 11:41 AM, Dmitri Pal wrote:
 On 02/10/2012 10:28 AM, Rich Megginson wrote:
 On 02/10/2012 04:01 AM, David Juran wrote:
 Hello

 I wonder if it's somehow possible to sync AD-users more selectively
 then
 just by sub-tree. In my case, I'm dealing with a very large
 organisation
 where the users that are to be synced to IPA aren't grouped by a
 subtree
 in AD but rather spread out. Can this be handled somehow?

 I don't think so, but can you provide some examples?

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Rich, can one create two different winsync agreements that use different
 sub trees on the AD side?
 Yes, if they also use two different sub trees on the IPA side. 
 Otherwise, you have two different winsync agreements covering the same
 ipa subtree - I have no idea what would happen.

If the users are different then there should be no collision. Are you
concerned about two winsyncs stepping on each other in terms of keeping
the view (persistent search or something like) at IPA data consistent?

 If there anything that would prevent it to
 work? May be it should be done from 2 IPA replicas?
 You might still have problems with that scenario, just delayed.  That
 is, the ipa subtree is the same on both replicas, so you still have
 the same problem, just delayed by the speed of replication.

 The only way to know for sure would be to get some concrete examples,
 then try it out.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-10 Thread Rich Megginson

On 02/10/2012 12:18 PM, Dmitri Pal wrote:

On 02/10/2012 01:46 PM, Rich Megginson wrote:

On 02/10/2012 11:41 AM, Dmitri Pal wrote:

On 02/10/2012 10:28 AM, Rich Megginson wrote:

On 02/10/2012 04:01 AM, David Juran wrote:

Hello

I wonder if it's somehow possible to sync AD-users more selectively
then
just by sub-tree. In my case, I'm dealing with a very large
organisation
where the users that are to be synced to IPA aren't grouped by a
subtree
in AD but rather spread out. Can this be handled somehow?


I don't think so, but can you provide some examples?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Rich, can one create two different winsync agreements that use different
sub trees on the AD side?

Yes, if they also use two different sub trees on the IPA side.
Otherwise, you have two different winsync agreements covering the same
ipa subtree - I have no idea what would happen.

If the users are different then there should be no collision. Are you
concerned about two winsyncs stepping on each other in terms of keeping
the view (persistent search or something like) at IPA data consistent?

Yes.

If there anything that would prevent it to
work? May be it should be done from 2 IPA replicas?

You might still have problems with that scenario, just delayed.  That
is, the ipa subtree is the same on both replicas, so you still have
the same problem, just delayed by the speed of replication.

The only way to know for sure would be to get some concrete examples,
then try it out.




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] syncing users more not limited to a subtree

2012-02-10 Thread Rob Crittenden

Rich Megginson wrote:

On 02/10/2012 11:41 AM, Dmitri Pal wrote:

On 02/10/2012 10:28 AM, Rich Megginson wrote:

On 02/10/2012 04:01 AM, David Juran wrote:

Hello

I wonder if it's somehow possible to sync AD-users more selectively
then
just by sub-tree. In my case, I'm dealing with a very large
organisation
where the users that are to be synced to IPA aren't grouped by a
subtree
in AD but rather spread out. Can this be handled somehow?


I don't think so, but can you provide some examples?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Rich, can one create two different winsync agreements that use different
sub trees on the AD side?

Yes, if they also use two different sub trees on the IPA side.
Otherwise, you have two different winsync agreements covering the same
ipa subtree - I have no idea what would happen.

If there anything that would prevent it to
work? May be it should be done from 2 IPA replicas?

You might still have problems with that scenario, just delayed. That is,
the ipa subtree is the same on both replicas, so you still have the same
problem, just delayed by the speed of replication.

The only way to know for sure would be to get some concrete examples,
then try it out.


I'll just add that we don't currently support multiple winsync 
agreements against the same AD server. I opened a ticket on this yesterday.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users