<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/16/2013 04:28 PM, Steven Jones
wrote:<br>
</div>
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E407A2FE5AB@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style>
<!--
@font-face
{font-family:Calibri}
@font-face
{font-family:Tahoma}
@font-face
{font-family:Consolas}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
pre
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black}
span.EmailStyle17
{font-family:"Calibri","sans-serif";
color:windowtext}
span.HTMLPreformattedChar
{font-family:Consolas;
color:black}
span.EmailStyle20
{font-family:"Calibri","sans-serif";
color:#1F497D}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
-->
</style>
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">Hi,<br>
<br>
PS there is a difference between password sync and user
(win)sync, they run independently.<br>
<br>
So you can do password sync without winsync. Password sync puts
a msi on the AD box to intercept the password and send it on
before its encrypted (as I understand it)....</div>
</blockquote>
Correct.<br>
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E407A2FE5AB@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">that might also give your AD admins
kittens....<br>
</div>
</blockquote>
Also correct, which is why the preferred long term solution is cross
domain trust.<br>
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E407A2FE5AB@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<br>
;]<br>
<br>
We also run IPA admins (who can log into the web ui) as a
seperate user ID unique in IPA, that way if AD gets hacked the
hacker doesnt get to own IPA as well via a password change.<br>
<br>
<div><br>
<div style="font-family:Tahoma; font-size:13px">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical Specialist - Linux RHCE</p>
<p>Victoria University, Wellington, NZ</p>
<p>0064 4 463 6272<br>
</p>
</div>
</div>
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF172607"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Tovey,
Mark [<a class="moz-txt-link-abbreviated" href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a>]<br>
<b>Sent:</b> Wednesday, 17 July 2013 10:06 a.m.<br>
<b>To:</b> Rich Megginson<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Limit password
synchronization from Active Directory<br>
</font><br>
</div>
<div>
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="color:#1F497D">
Ouch! The AD admins have already expressed an
unwillingness to move some users into a separate
container. And I don’t want to have several thousand
unnecessary entries in my IPA system. It looks like
password synchronization is not going to be an option.</span></p>
<p class="MsoNormal"><span style="color:#1F497D">
Thanks,</span></p>
<p class="MsoNormal"><span style="color:#1F497D"> -Mark</span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;
font-family:"Arial","sans-serif";
color:gray" lang="EN-GB"> </span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;
font-family:"Arial","sans-serif";
color:gray" lang="EN-GB">________________________________________________________________</span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;
font-family:"Arial","sans-serif";
color:gray" lang="EN-GB">Mark Tovey - UNIX
Engineer | Service Strategy & Design</span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;
font-family:"Arial","sans-serif";
color:blue" lang="EN-GB"><a moz-do-not-send="true"
href="http://www.go2uti.com/" target="_blank">UTi</a>
</span><span style="font-size:7.5pt;
font-family:"Arial","sans-serif";
color:gray" lang="EN-GB">| 400 SW Sixth Ave, Suite
1100 | Portland | Oregon | 97204 | USA</span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;
font-family:"Arial","sans-serif";
color:gray" lang="EN-GB"><a moz-do-not-send="true"
href="mailto:MTovey@go2uti.com" target="_blank">MTovey@go2uti.com</a>
| O / C +1 503 953-1389 | Skype: mark.tovey2</span><span
style="color:#1F497D" lang="EN"></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span></p>
<div>
<div style="border:none; border-top:solid #B5C4DF 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;
font-family:"Tahoma","sans-serif";
color:windowtext">From:</span></b><span
style="font-size:10.0pt;
font-family:"Tahoma","sans-serif";
color:windowtext"> Rich Megginson
[<a class="moz-txt-link-freetext" href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, July 16, 2013 1:00 PM<br>
<b>To:</b> Tovey, Mark<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Limit password
synchronization from Active Directory</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On 07/16/2013 01:48 PM, Tovey, Mark
wrote:</p>
</div>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<p class="MsoNormal"> </p>
<p class="MsoNormal"> Is there a way to limit what
user accounts are synchronized from Active Directory?
There are around 15,000 entries in our production AD
system, but probably only about 300 of those need to
have an account in the IPA system. Can we set an
attribute in the user information in AD that would
flag that this is a candidate for replication, and
lack of that attribute would cause an account to be
skipped?</p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;
font-family:"Times New
Roman","serif""><br>
No. The only thing you can do is create a special
container (cn=IPA users or ou=IPA users or something
like that), move the users you want to sync into that
container, and sync only that container.<br>
<br>
<br>
</span></p>
<p class="MsoNormal"> Thanks,</p>
<p class="MsoNormal"> -Mark</p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;
font-family:"Arial","sans-serif";
color:gray" lang="EN-GB"> </span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;
font-family:"Arial","sans-serif";
color:gray" lang="EN-GB">________________________________________________________________</span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;
font-family:"Arial","sans-serif";
color:gray" lang="EN-GB">Mark Tovey - UNIX Engineer
| Service Strategy & Design</span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;
font-family:"Arial","sans-serif";
color:blue" lang="EN-GB"><a moz-do-not-send="true"
href="http://www.go2uti.com/" target="_blank">UTi</a>
</span><span style="font-size:7.5pt;
font-family:"Arial","sans-serif";
color:gray" lang="EN-GB">| 400 SW Sixth Ave, Suite
1100 | Portland | Oregon | 97204 | USA</span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;
font-family:"Arial","sans-serif";
color:gray" lang="EN-GB"><a moz-do-not-send="true"
href="mailto:MTovey@go2uti.com" target="_blank">MTovey@go2uti.com</a>
| O / C +1 503 953-1389 | Skype: mark.tovey2</span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="font-size:12.0pt;
font-family:"Times New
Roman","serif""><br>
<br>
<br>
</span></p>
<pre>_______________________________________________</pre>
<pre>Freeipa-users mailing list</pre>
<pre><a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a></pre>
<pre><a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<p class="MsoNormal"><span style="font-size:12.0pt;
font-family:"Times New
Roman","serif""> </span></p>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>