[Freeipa-users] Limit password synchronization from Active Directory
Rich Megginson
rmeggins at redhat.com
Tue Jul 16 23:05:37 UTC 2013
On 07/16/2013 05:00 PM, Tovey, Mark wrote:
>
> We can live with that. We want to be able to disable an account
> in AD and have that flow out to our *nix servers. If we make the
> procedure to delete the password in AD, that should effectively
> disable the account in IPA as well.
>
I don't think PassSync will sync password deletion events.
> Thanks,
>
> -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:53 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Limit password synchronization from
> Active Directory
>
> On 07/16/2013 04:50 PM, Tovey, Mark wrote:
>
> At the end of the day, all we really need is password
>
>
> You can do this with just PassSync on AD and without the rest of winsync.
>
>
> and preferably account disabling synchronized.
>
>
> You have to use winsync for that.
>
>
> The rest is not absolutely necessary. I saw that part of the
> documentation, but did not fully understand it (in a hurry!). Now
> that I see it in a different light, it becomes much clearer. I will
> look into this.
>
> Thanks,
>
> -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:17 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from
> Active Directory
>
> On 07/16/2013 04:06 PM, Tovey, Mark wrote:
>
> Ouch! The AD admins have already expressed an unwillingness to
> move some users into a separate container. And I don't want to
> have several thousand unnecessary entries in my IPA system. It
> looks like password synchronization is not going to be an option.
>
>
> With 389 it is possible to disable sync of AD user creation to DS.
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html
>
> 12.4.4.2. Configuring User Sync in the Command Line
>
> To disable user sync, set nsds7NewWinUserSyncEnabled: off
>
> Then, you will add the ntUser objectclass to each IPA user you want to
> sync, and at the same time add the attribute ntUserDomainID: username
> (corresponds to the AD user samAccountName attribute). This will
> "link" the IPA user entry to the corresponding AD user entry.
>
> You mention password sync and user sync - I'm not sure if you mean
> them separately, or if you are implying that they have to be used
> together - they do not. You should be able to install PassSync on
> your domain controllers _without configuring a winsync agreement in
> IPA_. PassSync should then just ignore password changes for users
> that it cannot find in IPA.
>
>
>
>
> Thanks,
>
> -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 |
> Skype: mark.tovey2
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 1:00 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from
> Active Directory
>
> On 07/16/2013 01:48 PM, Tovey, Mark wrote:
>
> Is there a way to limit what user accounts are synchronized
> from Active Directory? There are around 15,000 entries in our
> production AD system, but probably only about 300 of those need to
> have an account in the IPA system. Can we set an attribute in the
> user information in AD that would flag that this is a candidate
> for replication, and lack of that attribute would cause an account
> to be skipped?
>
>
> No. The only thing you can do is create a special container (cn=IPA
> users or ou=IPA users or something like that), move the users you want
> to sync into that container, and sync only that container.
>
>
>
>
> Thanks,
>
> -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 |
> Skype: mark.tovey2
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/af29b0af/attachment.htm>
More information about the Freeipa-users
mailing list