[Freeipa-users] 2 question on passsync

Steven Jones Steven.Jones at vuw.ac.nz
Wed Nov 13 00:14:08 UTC 2013 

Hi

>From the RH manual,

"15.6.3. Exempting Active Directory Users from Password Synchronization"

So the heading says I can?

or I cannot?

by running,

 "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
 changetype: modify
add: passSyncManagersDNs passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"

Where the user would say be me, so I have to have a different password in IPA to AD.

If I cannot then the manual heading above is very confusing...

In terms of

"Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords."

I did wonder but when I tested a normal user, there was no password reset required, the AD password just worked with teh rhle6 client login, no issues, no reset.

So I am confused.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ

6012

0064 4 463 6272

clude a user from passync the identity guide says run,
>
> "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
>
> Which means every time I want to exclude a user I have to do this via the command line and also I dont see how its easily and quickly auditable either.
>
> eg how do I check who is and isnt excluded?
>
> Now if its a IPA user group called say "excluded passsync users" and I just drop the user(s) in, its very easy to do and look at to audit.

This isn't what passSyncManagersDNs does. What this value does is list
the users who can change a password without requiring a reset of that
password.

Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords.

I like your idea of a group, can you file an RFE on this?

rob

More information about the Freeipa-users mailing list