<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/16/2013 05:33 PM, Tovey, Mark
wrote:<br>
</div>
<blockquote
cite="mid:159018F515D5B14CA76C88F9C425325A65E162@sinmpt10.corp.go2uti.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \, serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> You make
this difficult!</span><span
style="font-family:Wingdings;color:#1F497D">J</span><span
style="color:#1F497D"> But after explaining what we are
trying to accomplish here to our AD Architect, he offered
some flexibility with the subcontainer option. My users may
have to live with two accounts in AD (one for everyday
functions like email, the other for extra access like *nix),
but that will allow our User Account Management team to
enable, disable, and reset accounts from within one tool.
Actual server access will still be managed by our Unix team
through IPA.</span></p>
</div>
</blockquote>
<br>
You can't just disable sync of AD user creation? And just add the
sync attributes to the IPA entries you want to sync?<br>
<br>
<blockquote
cite="mid:159018F515D5B14CA76C88F9C425325A65E162@sinmpt10.corp.go2uti.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> -Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">________________________________________________________________<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">Mark Tovey - UNIX Engineer | Service
Strategy & Design<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"
lang="EN-GB"><a moz-do-not-send="true"
href="http://www.go2uti.com/">UTi</a>
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">| 400 SW Sixth Ave, Suite 1100 | Portland |
Oregon | 97204 | USA<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"><a moz-do-not-send="true"
href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> |
O / C +1 503 953-1389</span><span style="color:#1F497D"
lang="EN"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Rich Megginson [<a class="moz-txt-link-freetext" href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, July 16, 2013 4:06 PM<br>
<b>To:</b> Tovey, Mark<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Limit password
synchronization from Active Directory<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 07/16/2013 05:00 PM, Tovey, Mark
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> We can
live with that. We want to be able to disable an account
in AD and have that flow out to our *nix servers. If we
make the procedure to delete the password in AD, that
should effectively disable the account in IPA as well.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
I don't think PassSync will sync password deletion events.<br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> -Mark</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"> </span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">________________________________________________________________</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">Mark Tovey - UNIX Engineer | Service
Strategy & Design</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"
lang="EN-GB"><a moz-do-not-send="true"
href="http://www.go2uti.com/">UTi</a>
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">| 400 SW Sixth Ave, Suite 1100 | Portland |
Oregon | 97204 | USA</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"><a moz-do-not-send="true"
href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> |
O / C +1 503 953-1389</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Rich Megginson [<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, July 16, 2013 3:53 PM<br>
<b>To:</b> Tovey, Mark<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Limit password
synchronization from Active Directory</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 07/16/2013 04:50 PM, Tovey, Mark
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> At the
end of the day, all we really need is password</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman ,
serif","serif""><br>
You can do this with just PassSync on AD and without the
rest of winsync.<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">and preferably
account disabling synchronized.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman ,
serif","serif""><br>
You have to use winsync for that.<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">The rest is not
absolutely necessary. I saw that part of the documentation,
but did not fully understand it (in a hurry!). Now that I
see it in a different light, it becomes much clearer. I
will look into this.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> -Mark</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"> </span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">________________________________________________________________</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">Mark Tovey - UNIX Engineer | Service
Strategy & Design</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"
lang="EN-GB"><a moz-do-not-send="true"
href="http://www.go2uti.com/">UTi</a>
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">| 400 SW Sixth Ave, Suite 1100 | Portland |
Oregon | 97204 | USA</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"><a moz-do-not-send="true"
href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> |
O / C +1 503 953-1389</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Rich Megginson [<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, July 16, 2013 3:17 PM<br>
<b>To:</b> Tovey, Mark<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Limit password
synchronization from Active Directory</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 07/16/2013 04:06 PM, Tovey, Mark
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> Ouch!
The AD admins have already expressed an unwillingness to
move some users into a separate container. And I don’t
want to have several thousand unnecessary entries in my
IPA system. It looks like password synchronization is not
going to be an option.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt"><br>
With 389 it is possible to disable sync of AD user creation
to DS.<br>
<a moz-do-not-send="true"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html</a><br>
<br>
12.4.4.2. Configuring User Sync in the Command Line<br>
<br>
To disable user sync, set nsds7NewWinUserSyncEnabled: off<br>
<br>
Then, you will add the ntUser objectclass to each IPA user
you want to sync, and at the same time add the attribute
ntUserDomainID: username (corresponds to the AD user
samAccountName attribute). This will "link" the IPA user
entry to the corresponding AD user entry.<br>
<br>
You mention password sync and user sync - I'm not sure if
you mean them separately, or if you are implying that they
have to be used together - they do not. You should be able
to install PassSync on your domain controllers _without
configuring a winsync agreement in IPA_. PassSync should
then just ignore password changes for users that it cannot
find in IPA.<br>
<br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> -Mark</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"> </span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">________________________________________________________________</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">Mark Tovey - UNIX Engineer | Service
Strategy & Design</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"
lang="EN-GB"><a moz-do-not-send="true"
href="http://www.go2uti.com/">UTi</a>
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">| 400 SW Sixth Ave, Suite 1100 | Portland |
Oregon | 97204 | USA</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"><a moz-do-not-send="true"
href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> |
O / C +1 503 953-1389 | Skype: mark.tovey2</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Rich Megginson [<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, July 16, 2013 1:00 PM<br>
<b>To:</b> Tovey, Mark<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Limit password
synchronization from Active Directory</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 07/16/2013 01:48 PM, Tovey, Mark
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> Is there a way to limit what user
accounts are synchronized from Active Directory? There are
around 15,000 entries in our production AD system, but
probably only about 300 of those need to have an account in
the IPA system. Can we set an attribute in the user
information in AD that would flag that this is a candidate
for replication, and lack of that attribute would cause an
account to be skipped?<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt"><br>
No. The only thing you can do is create a special container
(cn=IPA users or ou=IPA users or something like that), move
the users you want to sync into that container, and sync
only that container.<br>
<br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"> Thanks,<o:p></o:p></p>
<p class="MsoNormal"> -Mark<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"> </span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">________________________________________________________________</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">Mark Tovey - UNIX Engineer | Service Strategy
& Design</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"
lang="EN-GB"><a moz-do-not-send="true"
href="http://www.go2uti.com/">UTi</a>
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">| 400 SW Sixth Ave, Suite 1100 | Portland |
Oregon | 97204 | USA</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"><a moz-do-not-send="true"
href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> | O
/ C +1 503 953-1389 | Skype: mark.tovey2</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><br>
<br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Freeipa-users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman ,
serif","serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>