[Freeipa-users] AD password synchronization
Rob Crittenden
rcritten at redhat.com
Thu Feb 27 15:49:27 UTC 2014
Bob wrote:
>
> How can I create the id=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com account without creating a replication agreement.
>
> I do not want to replicate accounts between AD and ipa, but I do want password changes on AD to be sent to ipa.
>
>
> Is this possible?
# ldapmodify -D "cn=directory manager" -w secret -p 389 -h
ipaserver.example.com -x -a
dn: uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: passsync
userPassword: secretpassword
As for how well this will work, I'm not sure. You'll also need to add
this to the pass sync managers entry ala
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html
I forget the details on how the PassSync service links the AD entry to
the 389-ds entry. You may need to add additional attributes to IPA for
each user you want to keep synchronized.
rob
More information about the Freeipa-users
mailing list