[Freeipa-users] Limit password synchronization from Active Directory

Rich Megginson rmeggins at redhat.com
Wed Jul 17 00:43:30 UTC 2013 

On 07/16/2013 05:33 PM, Tovey, Mark wrote:
>
>     You make this difficult!J  But after explaining what we are trying 
> to accomplish here to our AD Architect, he offered some flexibility 
> with the subcontainer option.  My users may have to live with two 
> accounts in AD (one for everyday functions like email, the other for 
> extra access like *nix), but that will allow our User Account 
> Management team to enable, disable, and reset accounts from within one 
> tool. Actual server access will still be managed by our Unix team 
> through IPA.
>

You can't just disable sync of AD user creation?  And just add the sync 
attributes to the IPA entries you want to sync?

>     Thanks,
>
>      -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 4:06 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 05:00 PM, Tovey, Mark wrote:
>
>         We can live with that.  We want to be able to disable an
>     account in AD and have that flow out to our *nix servers.  If we
>     make the procedure to delete the password in AD, that should
>     effectively disable the account in IPA as well.
>
>
> I don't think PassSync will sync password deletion events.
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:53 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 04:50 PM, Tovey, Mark wrote:
>
>         At the end of the day, all we really need is password
>
>
> You can do this with just PassSync on AD and without the rest of winsync.
>
>
>
> and preferably account disabling synchronized.
>
>
> You have to use winsync for that.
>
>
>
> The rest is not absolutely necessary.  I saw that part of the 
> documentation, but did not fully understand it (in a hurry!).  Now 
> that I see it in a different light, it becomes much clearer.  I will 
> look into this.
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:17 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 04:06 PM, Tovey, Mark wrote:
>
>         Ouch! The AD admins have already expressed an unwillingness to
>     move some users into a separate container.  And I don't want to
>     have several thousand unnecessary entries in my IPA system.  It
>     looks like password synchronization is not going to be an option.
>
>
> With 389 it is possible to disable sync of AD user creation to DS.
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html
>
> 12.4.4.2. Configuring User Sync in the Command Line
>
> To disable user sync, set nsds7NewWinUserSyncEnabled: off
>
> Then, you will add the ntUser objectclass to each IPA user you want to 
> sync, and at the same time add the attribute ntUserDomainID: username 
> (corresponds to the AD user samAccountName attribute).  This will 
> "link" the IPA user entry to the corresponding AD user entry.
>
> You mention password sync and user sync - I'm not sure if you mean 
> them separately, or if you are implying that they have to be used 
> together - they do not.  You should be able to install PassSync on 
> your domain controllers _without configuring a winsync agreement in 
> IPA_.  PassSync should then just ignore password changes for users 
> that it cannot find in IPA.
>
>
>
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 1:00 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 01:48 PM, Tovey, Mark wrote:
>
>         Is there a way to limit what user accounts are synchronized
>     from Active Directory?  There are around 15,000 entries in our
>     production AD system, but probably only about 300 of those need to
>     have an account in the IPA system.  Can we set an attribute in the
>     user information in AD that would flag that this is a candidate
>     for replication, and lack of that attribute would cause an account
>     to be skipped?
>
>
> No.  The only thing you can do is create a special container (cn=IPA 
> users or ou=IPA users or something like that), move the users you want 
> to sync into that container, and sync only that container.
>
>
>
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/673a39c9/attachment.htm>

More information about the Freeipa-users mailing list