<html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"> <style>  </style><style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style> </head> <body ocsi="0" fpstyle="1" lang="EN-US" link="blue" vlink="purple" bgcolor="white"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Hi, PS there is a difference between password sync and user (win)sync, they run independently. So you can do password sync without winsync. Password sync puts a msi on the AD box to intercept the password and send it on before its encrypted (as I understand it)....that might also give your AD admins kittens.... ;] We also run IPA admins (who can log into the web ui) as a seperate user ID unique in IPA, that way if AD gets hacked the hacker doesnt get to own IPA as well via a password change. <div> <div style="font-family:Tahoma; font-size:13px"> regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 </div> </div> <div style="font-family: Times New Roman; color: #000000; font-size: 16px"> <hr tabindex="-1"> <div style="direction: ltr;" id="divRpF172607">From: freeipa-users-bounces@redhat.com [freeipa-users-bounces@redhat.com] on behalf of Tovey, Mark [MTovey@go2uti.com] Sent: Wednesday, 17 July 2013 10:06 a.m. To: Rich Megginson Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory </div> <div></div> <div> <div class="WordSection1"> Ouch! The AD admins have already expressed an unwillingness to move some users into a separate container. And I don’t want to have several thousand unnecessary entries in my IPA system. It looks like password synchronization is not going to be an option. Thanks, -Mark <div> ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design <a href="http://www.go2uti.com/" target="_blank">UTi</a> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA <a href="mailto:MTovey@go2uti.com" target="_blank">MTovey@go2uti.com</a> | O / C +1 503 953-1389 | Skype: mark.tovey2 </div> <div> <div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0in 0in 0in"> From: Rich Megginson [mailto:rmeggins@redhat.com] Sent: Tuesday, July 16, 2013 1:00 PM To: Tovey, Mark Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory </div> </div> <div> On 07/16/2013 01:48 PM, Tovey, Mark wrote: </div> <blockquote style="margin-top:5.0pt; margin-bottom:5.0pt"> Is there a way to limit what user accounts are synchronized from Active Directory? There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system. Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped? </blockquote> No. The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container. Thanks, -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design <a href="http://www.go2uti.com/" target="_blank">UTi</a> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA <a href="mailto:MTovey@go2uti.com" target="_blank">MTovey@go2uti.com</a> | O / C +1 503 953-1389 | Skype: mark.tovey2 <pre>_______________________________________________</pre> <pre>Freeipa-users mailing list</pre> <pre><a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a></pre> <pre><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </div> </div> </div> </div> </body> </html>