Re: [Freeipa-users] winsync msi

2012-09-07 Thread Dmitri Pal
On 07/25/2012 08:32 PM, Steven Jones wrote:
 Hi,

 I will ask


I am trying to make sure we closed all the loose ends.
Steven, is there any update?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rich Megginson [rmegg...@redhat.com]
 Sent: Thursday, 26 July 2012 12:28 p.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync msi

 On 07/25/2012 06:11 PM, Steven Jones wrote:
 Hi,

  From a RH support case as I dont have access to the RDS channel.
 We just updated the RHEL 6.3 downloads to have the RedHat-PassSync .msi
 files.

 No, its doesn't allay my Windows and security ppls concerns
 I was speaking specifically about your original concerns:

 No not specific developers but some sort of statement of ownership from
 RedHat I suppose. So they are I assume looking for some sort of
 confidence that it wont trash AD and if I install it and it does trash
 our AD some liability.

 Does the fact that you are now getting a Red Hat branded binary from an
 official Red Hat download site allay these particular fears?

 http://port389.org/wiki/Download

 This is an Active Directory plug-in that intercepts password changes made 
 to AD and sends the clear text password to 389 DS to keep the passwords in 
 sync (when using the Windows Sync feature of 389 DS).

 Tested with Windows 2008 and 2003 Server 32-bit and 64-bit. 
 This is an Active Directory plug-in that intercepts password changes
 made to AD Domain Controllers and sends the clear text password over an
 encrypted connection (SSL/TLS) to 389 DS to keep the passwords in sync.
 It works in conjunction with the Windows Sync feature of 389. You must
 install this on every Domain Controller. 

 Better?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rich Megginson [rmegg...@redhat.com]
 Sent: Thursday, 26 July 2012 11:59 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync msi

 On 07/25/2012 02:41 PM, Steven Jones wrote:
 Hi,

 Ah ok, I have the official one.
From where did you get it?  And does it allay your concerns?

 One thing on the free site, it says the password is transmitted as clear 
 text, no mention of over an encrypted secure channelthe security guys 
 had a fit.so if you update that web page it would help the cause.
 Which page is that?  The Howto:WindowsSync?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rich Megginson [rmegg...@redhat.com]
 Sent: Thursday, 26 July 2012 1:58 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync msi

 On 07/24/2012 03:15 PM, Steven Jones wrote:
 Hi Rich,

 I can appreciate what you are saying, but

 Not on Windows but specifically AD, the very core of our 21,000+ user 
 base, that makes such an add on significant and gets focus. What we have 
 seen with another similar (yes, commercial) MSI was a clash with another 
 MSI added to AD, the result was not prettyhence the Windows ppl are 
 very careful when something like this is proposed.

 So actually some sites where this has been installed commercially would be 
 good, if need be I can raise a call to RH support? or RH NZ rep to get 
 that info in confidence / NDA.

 IPA like AD is not just another application, its at the very centre of 
 everything. For us it will be the second or third most important system we 
 have.  It will probably connect us to ppl across the world and them to us 
 (via federation/shibboleth) let alone our internal user base.

 Lets see if I can show this, so 99.9% uptime on an application is 9 hours 
 off line per year.per user.say 100 users?

 So 1 hour off line in a business day with 21,000+ users.21,000 hours 
 lost plus all the meetings on why and how to make sure it wont happen 
 again.  If we were down for say a day or twoit would be in the IT if 
 not National papers(yes OK NZ is small)I think my new occupation 
 and some of the managers would beroad sweeping.this makes them 
 very risk adverse.

 Crazy thing of course is, yes IPA is free...

 ;]

 I can appreciate things seem very strange in that context.  Consider that 
 its taken me 7 years to go from being employed specifically long enough to 
 get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 
 100 RHEL servers with most of the mission critical things on them.all 
 down to the quality of open source really..proof is in the 
 eatingits proven very tasty..
 Ok.  If you are a Red Hat paying customer, you should get the
 RedHat-PassSync .msi from an official Red Hat channel.  We are working
 on addressing this issue

Re: [Freeipa-users] winsync msi

2012-07-25 Thread Rich Megginson

On 07/24/2012 03:15 PM, Steven Jones wrote:

Hi Rich,

I can appreciate what you are saying, but

Not on Windows but specifically AD, the very core of our 21,000+ user base, 
that makes such an add on significant and gets focus. What we have seen with 
another similar (yes, commercial) MSI was a clash with another MSI added to AD, 
the result was not prettyhence the Windows ppl are very careful when 
something like this is proposed.

So actually some sites where this has been installed commercially would be 
good, if need be I can raise a call to RH support? or RH NZ rep to get that 
info in confidence / NDA.

IPA like AD is not just another application, its at the very centre of 
everything. For us it will be the second or third most important system we 
have.  It will probably connect us to ppl across the world and them to us (via 
federation/shibboleth) let alone our internal user base.

Lets see if I can show this, so 99.9% uptime on an application is 9 hours off 
line per year.per user.say 100 users?

So 1 hour off line in a business day with 21,000+ users.21,000 hours lost 
plus all the meetings on why and how to make sure it wont happen again.  If we 
were down for say a day or twoit would be in the IT if not National 
papers(yes OK NZ is small)I think my new occupation and some of the 
managers would beroad sweeping.this makes them very risk adverse.

Crazy thing of course is, yes IPA is free...

;]

I can appreciate things seem very strange in that context.  Consider that its 
taken me 7 years to go from being employed specifically long enough to get rid 
of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL 
servers with most of the mission critical things on them.all down to the 
quality of open source really..proof is in the eatingits proven very 
tasty..
Ok.  If you are a Red Hat paying customer, you should get the 
RedHat-PassSync .msi from an official Red Hat channel.  We are working 
on addressing this issue.


:)

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 25 July 2012 2:54 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/23/2012 06:32 PM, Steven Jones wrote:

Hi,

No not specific developers but some sort of statement of ownership from RedHat 
I suppose. So they are I assume looking for some sort of confidence that it 
wont trash AD and if I install it and it does trash our AD some liability.

Can you point me at another open source project that provides Windows
binaries that provides some sort of guarantee or statement or
documentation like this?  I'd like to see what other projects do and
provide something similar.

Or is this the first (and only?) time anyone in your organization has
ever installed any open source software on Windows?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 24 July 2012 12:11 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/23/2012 05:38 PM, Steven Jones wrote:

Hi,

For the winsync agreement my Windows and security teams want to know its 
details,

eg who wrote it,

Red Hat - do you need to know the names of the developers?


it is Microsoft certified etc.

Not that I know of - how would one go about doing that?

Where will I find such info?

All I have is

http://port389.org/wiki/Download

Which doesn't tell me much.

There is more info in the actual .msi file.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync msi

2012-07-25 Thread Steven Jones
Hi,

Ah ok, I have the official one.

One thing on the free site, it says the password is transmitted as clear text, 
no mention of over an encrypted secure channelthe security guys had a 
fit.so if you update that web page it would help the cause.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 26 July 2012 1:58 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/24/2012 03:15 PM, Steven Jones wrote:
 Hi Rich,

 I can appreciate what you are saying, but

 Not on Windows but specifically AD, the very core of our 21,000+ user base, 
 that makes such an add on significant and gets focus. What we have seen with 
 another similar (yes, commercial) MSI was a clash with another MSI added to 
 AD, the result was not prettyhence the Windows ppl are very careful when 
 something like this is proposed.

 So actually some sites where this has been installed commercially would be 
 good, if need be I can raise a call to RH support? or RH NZ rep to get that 
 info in confidence / NDA.

 IPA like AD is not just another application, its at the very centre of 
 everything. For us it will be the second or third most important system we 
 have.  It will probably connect us to ppl across the world and them to us 
 (via federation/shibboleth) let alone our internal user base.

 Lets see if I can show this, so 99.9% uptime on an application is 9 hours off 
 line per year.per user.say 100 users?

 So 1 hour off line in a business day with 21,000+ users.21,000 hours lost 
 plus all the meetings on why and how to make sure it wont happen again.  If 
 we were down for say a day or twoit would be in the IT if not National 
 papers(yes OK NZ is small)I think my new occupation and some of the 
 managers would beroad sweeping.this makes them very risk adverse.

 Crazy thing of course is, yes IPA is free...

 ;]

 I can appreciate things seem very strange in that context.  Consider that its 
 taken me 7 years to go from being employed specifically long enough to get 
 rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL 
 servers with most of the mission critical things on them.all down to the 
 quality of open source really..proof is in the eatingits proven very 
 tasty..
Ok.  If you are a Red Hat paying customer, you should get the
RedHat-PassSync .msi from an official Red Hat channel.  We are working
on addressing this issue.

 :)

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rich Megginson [rmegg...@redhat.com]
 Sent: Wednesday, 25 July 2012 2:54 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync msi

 On 07/23/2012 06:32 PM, Steven Jones wrote:
 Hi,

 No not specific developers but some sort of statement of ownership from 
 RedHat I suppose. So they are I assume looking for some sort of confidence 
 that it wont trash AD and if I install it and it does trash our AD some 
 liability.
 Can you point me at another open source project that provides Windows
 binaries that provides some sort of guarantee or statement or
 documentation like this?  I'd like to see what other projects do and
 provide something similar.

 Or is this the first (and only?) time anyone in your organization has
 ever installed any open source software on Windows?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rich Megginson [rmegg...@redhat.com]
 Sent: Tuesday, 24 July 2012 12:11 p.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync msi

 On 07/23/2012 05:38 PM, Steven Jones wrote:
 Hi,

 For the winsync agreement my Windows and security teams want to know its 
 details,

 eg who wrote it,
 Red Hat - do you need to know the names of the developers?

 it is Microsoft certified etc.
 Not that I know of - how would one go about doing that?
 Where will I find such info?

 All I have is

 http://port389.org/wiki/Download

 Which doesn't tell me much.
 There is more info in the actual .msi file.
 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com

Re: [Freeipa-users] winsync msi

2012-07-25 Thread Rich Megginson

On 07/25/2012 02:41 PM, Steven Jones wrote:

Hi,

Ah ok, I have the official one.


From where did you get it?  And does it allay your concerns?



One thing on the free site, it says the password is transmitted as clear text, 
no mention of over an encrypted secure channelthe security guys had a 
fit.so if you update that web page it would help the cause.


Which page is that?  The Howto:WindowsSync?




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 26 July 2012 1:58 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/24/2012 03:15 PM, Steven Jones wrote:

Hi Rich,

I can appreciate what you are saying, but

Not on Windows but specifically AD, the very core of our 21,000+ user base, 
that makes such an add on significant and gets focus. What we have seen with 
another similar (yes, commercial) MSI was a clash with another MSI added to AD, 
the result was not prettyhence the Windows ppl are very careful when 
something like this is proposed.

So actually some sites where this has been installed commercially would be 
good, if need be I can raise a call to RH support? or RH NZ rep to get that 
info in confidence / NDA.

IPA like AD is not just another application, its at the very centre of 
everything. For us it will be the second or third most important system we 
have.  It will probably connect us to ppl across the world and them to us (via 
federation/shibboleth) let alone our internal user base.

Lets see if I can show this, so 99.9% uptime on an application is 9 hours off 
line per year.per user.say 100 users?

So 1 hour off line in a business day with 21,000+ users.21,000 hours lost 
plus all the meetings on why and how to make sure it wont happen again.  If we 
were down for say a day or twoit would be in the IT if not National 
papers(yes OK NZ is small)I think my new occupation and some of the 
managers would beroad sweeping.this makes them very risk adverse.

Crazy thing of course is, yes IPA is free...

;]

I can appreciate things seem very strange in that context.  Consider that its 
taken me 7 years to go from being employed specifically long enough to get rid 
of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL 
servers with most of the mission critical things on them.all down to the 
quality of open source really..proof is in the eatingits proven very 
tasty..

Ok.  If you are a Red Hat paying customer, you should get the
RedHat-PassSync .msi from an official Red Hat channel.  We are working
on addressing this issue.

:)

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 25 July 2012 2:54 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/23/2012 06:32 PM, Steven Jones wrote:

Hi,

No not specific developers but some sort of statement of ownership from RedHat 
I suppose. So they are I assume looking for some sort of confidence that it 
wont trash AD and if I install it and it does trash our AD some liability.

Can you point me at another open source project that provides Windows
binaries that provides some sort of guarantee or statement or
documentation like this?  I'd like to see what other projects do and
provide something similar.

Or is this the first (and only?) time anyone in your organization has
ever installed any open source software on Windows?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 24 July 2012 12:11 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/23/2012 05:38 PM, Steven Jones wrote:

Hi,

For the winsync agreement my Windows and security teams want to know its 
details,

eg who wrote it,

Red Hat - do you need to know the names of the developers?


it is Microsoft certified etc.

Not that I know of - how would one go about doing that?

Where will I find such info?

All I have is

http://port389.org/wiki/Download

Which doesn't tell me much.

There is more info in the actual .msi file.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync msi

2012-07-25 Thread Steven Jones
Hi,

From a RH support case as I dont have access to the RDS channel.

No, its doesn't allay my Windows and security ppls concerns

http://port389.org/wiki/Download

This is an Active Directory plug-in that intercepts password changes made to 
AD and sends the clear text password to 389 DS to keep the passwords in sync 
(when using the Windows Sync feature of 389 DS).

Tested with Windows 2008 and 2003 Server 32-bit and 64-bit. 

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 26 July 2012 11:59 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/25/2012 02:41 PM, Steven Jones wrote:
 Hi,

 Ah ok, I have the official one.

 From where did you get it?  And does it allay your concerns?


 One thing on the free site, it says the password is transmitted as clear 
 text, no mention of over an encrypted secure channelthe security guys had 
 a fit.so if you update that web page it would help the cause.

Which page is that?  The Howto:WindowsSync?



 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rich Megginson [rmegg...@redhat.com]
 Sent: Thursday, 26 July 2012 1:58 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync msi

 On 07/24/2012 03:15 PM, Steven Jones wrote:
 Hi Rich,

 I can appreciate what you are saying, but

 Not on Windows but specifically AD, the very core of our 21,000+ user base, 
 that makes such an add on significant and gets focus. What we have seen with 
 another similar (yes, commercial) MSI was a clash with another MSI added to 
 AD, the result was not prettyhence the Windows ppl are very careful when 
 something like this is proposed.

 So actually some sites where this has been installed commercially would be 
 good, if need be I can raise a call to RH support? or RH NZ rep to get that 
 info in confidence / NDA.

 IPA like AD is not just another application, its at the very centre of 
 everything. For us it will be the second or third most important system we 
 have.  It will probably connect us to ppl across the world and them to us 
 (via federation/shibboleth) let alone our internal user base.

 Lets see if I can show this, so 99.9% uptime on an application is 9 hours 
 off line per year.per user.say 100 users?

 So 1 hour off line in a business day with 21,000+ users.21,000 hours 
 lost plus all the meetings on why and how to make sure it wont happen again. 
  If we were down for say a day or twoit would be in the IT if not 
 National papers(yes OK NZ is small)I think my new occupation and 
 some of the managers would beroad sweeping.this makes them very risk 
 adverse.

 Crazy thing of course is, yes IPA is free...

 ;]

 I can appreciate things seem very strange in that context.  Consider that 
 its taken me 7 years to go from being employed specifically long enough to 
 get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 
 RHEL servers with most of the mission critical things on them.all down 
 to the quality of open source really..proof is in the eatingits 
 proven very tasty..
 Ok.  If you are a Red Hat paying customer, you should get the
 RedHat-PassSync .msi from an official Red Hat channel.  We are working
 on addressing this issue.
 :)

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rich Megginson [rmegg...@redhat.com]
 Sent: Wednesday, 25 July 2012 2:54 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync msi

 On 07/23/2012 06:32 PM, Steven Jones wrote:
 Hi,

 No not specific developers but some sort of statement of ownership from 
 RedHat I suppose. So they are I assume looking for some sort of confidence 
 that it wont trash AD and if I install it and it does trash our AD some 
 liability.
 Can you point me at another open source project that provides Windows
 binaries that provides some sort of guarantee or statement or
 documentation like this?  I'd like to see what other projects do and
 provide something similar.

 Or is this the first (and only?) time anyone in your organization has
 ever installed any open source software on Windows?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rich Megginson [rmegg...@redhat.com]
 Sent: Tuesday, 24 July 2012 12:11 p.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync msi

 On 07/23/2012 05:38 PM, Steven Jones wrote:
 Hi,

 For the winsync agreement my Windows

Re: [Freeipa-users] winsync msi

2012-07-25 Thread Rich Megginson

On 07/25/2012 06:11 PM, Steven Jones wrote:

Hi,

 From a RH support case as I dont have access to the RDS channel.


We just updated the RHEL 6.3 downloads to have the RedHat-PassSync .msi 
files.




No, its doesn't allay my Windows and security ppls concerns


I was speaking specifically about your original concerns:

No not specific developers but some sort of statement of ownership from 
RedHat I suppose. So they are I assume looking for some sort of 
confidence that it wont trash AD and if I install it and it does trash 
our AD some liability.


Does the fact that you are now getting a Red Hat branded binary from an 
official Red Hat download site allay these particular fears?




http://port389.org/wiki/Download

This is an Active Directory plug-in that intercepts password changes made to 
AD and sends the clear text password to 389 DS to keep the passwords in sync (when using the 
Windows Sync feature of 389 DS).

Tested with Windows 2008 and 2003 Server 32-bit and 64-bit. 


This is an Active Directory plug-in that intercepts password changes 
made to AD Domain Controllers and sends the clear text password over an 
encrypted connection (SSL/TLS) to 389 DS to keep the passwords in sync. 
It works in conjunction with the Windows Sync feature of 389. You must 
install this on every Domain Controller. 


Better?



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 26 July 2012 11:59 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/25/2012 02:41 PM, Steven Jones wrote:

Hi,

Ah ok, I have the official one.

   From where did you get it?  And does it allay your concerns?


One thing on the free site, it says the password is transmitted as clear text, 
no mention of over an encrypted secure channelthe security guys had a 
fit.so if you update that web page it would help the cause.

Which page is that?  The Howto:WindowsSync?



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 26 July 2012 1:58 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/24/2012 03:15 PM, Steven Jones wrote:

Hi Rich,

I can appreciate what you are saying, but

Not on Windows but specifically AD, the very core of our 21,000+ user base, 
that makes such an add on significant and gets focus. What we have seen with 
another similar (yes, commercial) MSI was a clash with another MSI added to AD, 
the result was not prettyhence the Windows ppl are very careful when 
something like this is proposed.

So actually some sites where this has been installed commercially would be 
good, if need be I can raise a call to RH support? or RH NZ rep to get that 
info in confidence / NDA.

IPA like AD is not just another application, its at the very centre of 
everything. For us it will be the second or third most important system we 
have.  It will probably connect us to ppl across the world and them to us (via 
federation/shibboleth) let alone our internal user base.

Lets see if I can show this, so 99.9% uptime on an application is 9 hours off 
line per year.per user.say 100 users?

So 1 hour off line in a business day with 21,000+ users.21,000 hours lost 
plus all the meetings on why and how to make sure it wont happen again.  If we 
were down for say a day or twoit would be in the IT if not National 
papers(yes OK NZ is small)I think my new occupation and some of the 
managers would beroad sweeping.this makes them very risk adverse.

Crazy thing of course is, yes IPA is free...

;]

I can appreciate things seem very strange in that context.  Consider that its 
taken me 7 years to go from being employed specifically long enough to get rid 
of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL 
servers with most of the mission critical things on them.all down to the 
quality of open source really..proof is in the eatingits proven very 
tasty..

Ok.  If you are a Red Hat paying customer, you should get the
RedHat-PassSync .msi from an official Red Hat channel.  We are working
on addressing this issue.

:)

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 25 July 2012 2:54 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/23/2012 06:32 PM, Steven Jones wrote:

Hi,

No not specific developers but some sort of statement of ownership from RedHat 
I suppose. So they are I assume looking for some sort of confidence that it 
wont trash AD

Re: [Freeipa-users] winsync msi

2012-07-25 Thread Steven Jones
Hi,

I will ask

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 26 July 2012 12:28 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/25/2012 06:11 PM, Steven Jones wrote:
 Hi,

  From a RH support case as I dont have access to the RDS channel.

We just updated the RHEL 6.3 downloads to have the RedHat-PassSync .msi
files.


 No, its doesn't allay my Windows and security ppls concerns

I was speaking specifically about your original concerns:

No not specific developers but some sort of statement of ownership from
RedHat I suppose. So they are I assume looking for some sort of
confidence that it wont trash AD and if I install it and it does trash
our AD some liability.

Does the fact that you are now getting a Red Hat branded binary from an
official Red Hat download site allay these particular fears?


 http://port389.org/wiki/Download

 This is an Active Directory plug-in that intercepts password changes made 
 to AD and sends the clear text password to 389 DS to keep the passwords in 
 sync (when using the Windows Sync feature of 389 DS).

 Tested with Windows 2008 and 2003 Server 32-bit and 64-bit. 

This is an Active Directory plug-in that intercepts password changes
made to AD Domain Controllers and sends the clear text password over an
encrypted connection (SSL/TLS) to 389 DS to keep the passwords in sync.
It works in conjunction with the Windows Sync feature of 389. You must
install this on every Domain Controller. 

Better?


 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rich Megginson [rmegg...@redhat.com]
 Sent: Thursday, 26 July 2012 11:59 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync msi

 On 07/25/2012 02:41 PM, Steven Jones wrote:
 Hi,

 Ah ok, I have the official one.
From where did you get it?  And does it allay your concerns?

 One thing on the free site, it says the password is transmitted as clear 
 text, no mention of over an encrypted secure channelthe security guys 
 had a fit.so if you update that web page it would help the cause.
 Which page is that?  The Howto:WindowsSync?


 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rich Megginson [rmegg...@redhat.com]
 Sent: Thursday, 26 July 2012 1:58 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync msi

 On 07/24/2012 03:15 PM, Steven Jones wrote:
 Hi Rich,

 I can appreciate what you are saying, but

 Not on Windows but specifically AD, the very core of our 21,000+ user base, 
 that makes such an add on significant and gets focus. What we have seen 
 with another similar (yes, commercial) MSI was a clash with another MSI 
 added to AD, the result was not prettyhence the Windows ppl are very 
 careful when something like this is proposed.

 So actually some sites where this has been installed commercially would be 
 good, if need be I can raise a call to RH support? or RH NZ rep to get that 
 info in confidence / NDA.

 IPA like AD is not just another application, its at the very centre of 
 everything. For us it will be the second or third most important system we 
 have.  It will probably connect us to ppl across the world and them to us 
 (via federation/shibboleth) let alone our internal user base.

 Lets see if I can show this, so 99.9% uptime on an application is 9 hours 
 off line per year.per user.say 100 users?

 So 1 hour off line in a business day with 21,000+ users.21,000 hours 
 lost plus all the meetings on why and how to make sure it wont happen 
 again.  If we were down for say a day or twoit would be in the IT if 
 not National papers(yes OK NZ is small)I think my new occupation 
 and some of the managers would beroad sweeping.this makes them very 
 risk adverse.

 Crazy thing of course is, yes IPA is free...

 ;]

 I can appreciate things seem very strange in that context.  Consider that 
 its taken me 7 years to go from being employed specifically long enough to 
 get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 
 100 RHEL servers with most of the mission critical things on them.all 
 down to the quality of open source really..proof is in the 
 eatingits proven very tasty..
 Ok.  If you are a Red Hat paying customer, you should get the
 RedHat-PassSync .msi from an official Red Hat channel.  We are working
 on addressing this issue.
 :)

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

Re: [Freeipa-users] winsync msi

2012-07-24 Thread Rich Megginson

On 07/23/2012 06:32 PM, Steven Jones wrote:

Hi,

No not specific developers but some sort of statement of ownership from RedHat 
I suppose. So they are I assume looking for some sort of confidence that it 
wont trash AD and if I install it and it does trash our AD some liability.


Can you point me at another open source project that provides Windows 
binaries that provides some sort of guarantee or statement or 
documentation like this?  I'd like to see what other projects do and 
provide something similar.


Or is this the first (and only?) time anyone in your organization has 
ever installed any open source software on Windows?




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 24 July 2012 12:11 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/23/2012 05:38 PM, Steven Jones wrote:

Hi,

For the winsync agreement my Windows and security teams want to know its 
details,

eg who wrote it,

Red Hat - do you need to know the names of the developers?


it is Microsoft certified etc.

Not that I know of - how would one go about doing that?

Where will I find such info?

All I have is

http://port389.org/wiki/Download

Which doesn't tell me much.

There is more info in the actual .msi file.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync msi

2012-07-23 Thread Rich Megginson

On 07/23/2012 05:38 PM, Steven Jones wrote:

Hi,

For the winsync agreement my Windows and security teams want to know its 
details,

eg who wrote it,


Red Hat - do you need to know the names of the developers?


it is Microsoft certified etc.

Not that I know of - how would one go about doing that?


Where will I find such info?

All I have is

http://port389.org/wiki/Download

Which doesn't tell me much.

There is more info in the actual .msi file.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync msi

2012-07-23 Thread Steven Jones
Hi,

No not specific developers but some sort of statement of ownership from RedHat 
I suppose. So they are I assume looking for some sort of confidence that it 
wont trash AD and if I install it and it does trash our AD some liability.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 24 July 2012 12:11 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync msi

On 07/23/2012 05:38 PM, Steven Jones wrote:
 Hi,

 For the winsync agreement my Windows and security teams want to know its 
 details,

 eg who wrote it,

Red Hat - do you need to know the names of the developers?

 it is Microsoft certified etc.
Not that I know of - how would one go about doing that?

 Where will I find such info?

 All I have is

 http://port389.org/wiki/Download

 Which doesn't tell me much.
There is more info in the actual .msi file.

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users