[Freeipa-users] passwd sync

Rich Megginson rmeggins at redhat.com
Wed Mar 28 01:40:31 UTC 2012 

On 03/27/2012 07:36 PM, Steven Jones wrote:
> Hi
>
> Until we collapse the domains into one we will have a one way sync for staff only...  I assume because a student does not exist if staff then there will be no sync....they will simply have a linux/IPA password.
>
> I dont need anything to go from IPA to AD, its all AD to IPA or manually created in IPA which stays there.
ok - then you can just use the oneWaySync feature of 389.
>
> "What exactly are you trying to do?  Defeat password sync for"   -  Turn off password policy for everyone. Policy will be controlled by AD or Psync..so the password should come through from AD via passsync with the complexity we want......
Not sure how you do that with IPA
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com]
> Sent: Wednesday, 28 March 2012 1:54 p.m.
> To: dpal at redhat.com
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] passwd sync
>
> On 03/27/2012 05:01 PM, Dmitri Pal wrote:
>> On 03/27/2012 06:24 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> We want to do a one way password sync from AD to IPA for staff but not students as they are a different AD domain,
>>>
>>> can we do a one way sync?
>> Yes
> one way sync for everything or one way sync for everything except
> student passwords?  the former is easy, the latter is not possible afaik
>>> Oh wait, also while I can only do one winsync to one AD domain, can I do a password sync from 2 ADs to one IPA domain?
>> No. One Domain.
>> IPA can sync only from one AD domain. And it can't sync users back (DS can).
> ipa winsync cannot add users added to IPA to AD - you'll have to add
> those manually to AD, then they will be in sync for modify operations.
>>> 7.4.3 talks about every password change wanting a reset.....
>> Yes because you need to capture passwords and create hashes in LDAP for
>> that passwords need to be reset and passsync needs to be put on the AD
>> to capture the changes.
>> This is ugly this is why we spending so much time and effort on building
>> trusts so that IPA can just accept AD tickets without any sync.
> +1
>>> So it there a way to disable this for all or some groups of users?
>>>
>>> I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc
>>>
>>> could be,
>>>
>>>    uid=*,cn=staff,cn=accounts,dc=etc......
>> I will leave to Rich to explain this
> It cannot be a wildcard:
>               if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
>                   pwdata.changetype = IPA_CHANGETYPE_DSMGR;
>                   break;
>               }
> but it is multivalued.
>
>
> What exactly are you trying to do?  Defeat password sync for
>
> uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs is what you want for that, unless I'm mistaken.
>
>>> ?
>>>
>>> Since Im setting the password complexity in AD and Psync I assume that I simply do not want any policy for most users....but I still will need a global for users who are not in AD.
>> Correct
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 28 March 2012 11:16 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] passwd sync
>>>
>>> Steven Jones wrote:
>>>> Section 7.4.2 on password sync calls for a download of a
>>>> PassSync.msi...I cannot locate this....so your doc needs updating I think.
>>>>
>>>> For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
>>>> cn=etc, then the dc= usual bits
>>>>
>>>> I assume the two cn='s are "standard"?
>>> It isn't incorrect, if that is what you are asking. cn is a multi-valued
>>> attribute.
>>>
>>>> number 4 point 4 ou=People,dc=example,dc=com is a "standard"?
>>> It is merely an example. I think the default location for AD users is
>>> ou=Users.
>>>
>>>> So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz
>>> You'd want to check with your AD administrator(s).
>>>
>>> rob
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list