[Freeipa-users] Limit password synchronization from Active Directory

Rich Megginson rmeggins at redhat.com
Tue Jul 16 23:05:37 UTC 2013 

On 07/16/2013 05:00 PM, Tovey, Mark wrote:
>
>     We can live with that.  We want to be able to disable an account 
> in AD and have that flow out to our *nix servers.  If we make the 
> procedure to delete the password in AD, that should effectively 
> disable the account in IPA as well.
>

I don't think PassSync will sync password deletion events.

>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:53 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 04:50 PM, Tovey, Mark wrote:
>
>         At the end of the day, all we really need is password
>
>
> You can do this with just PassSync on AD and without the rest of winsync.
>
>
> and preferably account disabling synchronized.
>
>
> You have to use winsync for that.
>
>
> The rest is not absolutely necessary.  I saw that part of the 
> documentation, but did not fully understand it (in a hurry!).  Now 
> that I see it in a different light, it becomes much clearer.  I will 
> look into this.
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:17 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 04:06 PM, Tovey, Mark wrote:
>
>         Ouch! The AD admins have already expressed an unwillingness to
>     move some users into a separate container.  And I don't want to
>     have several thousand unnecessary entries in my IPA system.  It
>     looks like password synchronization is not going to be an option.
>
>
> With 389 it is possible to disable sync of AD user creation to DS.
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html
>
> 12.4.4.2. Configuring User Sync in the Command Line
>
> To disable user sync, set nsds7NewWinUserSyncEnabled: off
>
> Then, you will add the ntUser objectclass to each IPA user you want to 
> sync, and at the same time add the attribute ntUserDomainID: username 
> (corresponds to the AD user samAccountName attribute).  This will 
> "link" the IPA user entry to the corresponding AD user entry.
>
> You mention password sync and user sync - I'm not sure if you mean 
> them separately, or if you are implying that they have to be used 
> together - they do not.  You should be able to install PassSync on 
> your domain controllers _without configuring a winsync agreement in 
> IPA_.  PassSync should then just ignore password changes for users 
> that it cannot find in IPA.
>
>
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 1:00 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 01:48 PM, Tovey, Mark wrote:
>
>         Is there a way to limit what user accounts are synchronized
>     from Active Directory?  There are around 15,000 entries in our
>     production AD system, but probably only about 300 of those need to
>     have an account in the IPA system.  Can we set an attribute in the
>     user information in AD that would flag that this is a candidate
>     for replication, and lack of that attribute would cause an account
>     to be skipped?
>
>
> No.  The only thing you can do is create a special container (cn=IPA 
> users or ou=IPA users or something like that), move the users you want 
> to sync into that container, and sync only that container.
>
>
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/af29b0af/attachment.htm>

More information about the Freeipa-users mailing list