[Freeipa-users] passwd sync

Rich Megginson rmeggins at redhat.com
Wed Mar 28 00:54:22 UTC 2012 

On 03/27/2012 05:01 PM, Dmitri Pal wrote:
> On 03/27/2012 06:24 PM, Steven Jones wrote:
>> Hi,
>>
>> We want to do a one way password sync from AD to IPA for staff but not students as they are a different AD domain,
>>
>> can we do a one way sync?
> Yes
one way sync for everything or one way sync for everything except 
student passwords?  the former is easy, the latter is not possible afaik
>
>> Oh wait, also while I can only do one winsync to one AD domain, can I do a password sync from 2 ADs to one IPA domain?
> No. One Domain.
> IPA can sync only from one AD domain. And it can't sync users back (DS can).
ipa winsync cannot add users added to IPA to AD - you'll have to add 
those manually to AD, then they will be in sync for modify operations.
>
>> 7.4.3 talks about every password change wanting a reset.....
> Yes because you need to capture passwords and create hashes in LDAP for
> that passwords need to be reset and passsync needs to be put on the AD
> to capture the changes.
> This is ugly this is why we spending so much time and effort on building
> trusts so that IPA can just accept AD tickets without any sync.
+1
>
>> So it there a way to disable this for all or some groups of users?
>>
>> I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc
>>
>> could be,
>>
>>   uid=*,cn=staff,cn=accounts,dc=etc......
> I will leave to Rich to explain this
It cannot be a wildcard:
             if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
                 pwdata.changetype = IPA_CHANGETYPE_DSMGR;
                 break;
             }
but it is multivalued.


What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs is what you want for that, unless I'm mistaken.

>
>> ?
>>
>> Since Im setting the password complexity in AD and Psync I assume that I simply do not want any policy for most users....but I still will need a global for users who are not in AD.
> Correct
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 28 March 2012 11:16 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] passwd sync
>>
>> Steven Jones wrote:
>>> Section 7.4.2 on password sync calls for a download of a
>>> PassSync.msi...I cannot locate this....so your doc needs updating I think.
>>>
>>> For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
>>> cn=etc, then the dc= usual bits
>>>
>>> I assume the two cn='s are "standard"?
>> It isn't incorrect, if that is what you are asking. cn is a multi-valued
>> attribute.
>>
>>> number 4 point 4 ou=People,dc=example,dc=com is a "standard"?
>> It is merely an example. I think the default location for AD users is
>> ou=Users.
>>
>>> So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz
>> You'd want to check with your AD administrator(s).
>>
>> rob
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list