[Freeipa-users] passwd sync

Thu Mar 29 12:57:53 UTC 2012

Steven Jones wrote:
> 8><------
>
> It cannot be a wildcard:
>               if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
>                   pwdata.changetype = IPA_CHANGETYPE_DSMGR;
>                   break;
>               }
> but it is multivalued.
>
> 8><----------
>
> This is over my head
>
> 8><----------
>
> What exactly are you trying to do?  Defeat password sync for
>
> uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs is what you want for that, unless I'm mistaken.
>
> 8><--------
>
> Ok,  so at present when I setup a new user with a temp password in IPA and give it to the user they have to set a new one on first login to a client.
>
> Once password(s) flow through from AD I don't want the reset password feature in IPA to be functional when a user "first" logs in.

That is what the passsyncmanagersdn does, bypasses policy checks. It 
doesn't look at the individual entry being replicated, it looks at the 
user who is bound and doing the replication.

rob