<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/16/2013 04:06 PM, Tovey, Mark
wrote:<br>
</div>
<blockquote
cite="mid:159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> Ouch! The
AD admins have already expressed an unwillingness to move
some users into a separate container. And I don’t want to
have several thousand unnecessary entries in my IPA system.
It looks like password synchronization is not going to be an
option.</span></p>
</div>
</blockquote>
<br>
With 389 it is possible to disable sync of AD user creation to DS.<br>
<a class="moz-txt-link-freetext" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html</a><br>
<br>
12.4.4.2. Configuring User Sync in the Command Line<br>
<br>
To disable user sync, set nsds7NewWinUserSyncEnabled: off<br>
<br>
Then, you will add the ntUser objectclass to each IPA user you want
to sync, and at the same time add the attribute ntUserDomainID:
username (corresponds to the AD user samAccountName attribute).
This will "link" the IPA user entry to the corresponding AD user
entry.<br>
<br>
You mention password sync and user sync - I'm not sure if you mean
them separately, or if you are implying that they have to be used
together - they do not. You should be able to install PassSync on
your domain controllers _without configuring a winsync agreement in
IPA_. PassSync should then just ignore password changes for users
that it cannot find in IPA.<br>
<br>
<br>
<blockquote
cite="mid:159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> -Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">________________________________________________________________<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">Mark Tovey - UNIX Engineer | Service
Strategy & Design<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"
lang="EN-GB"><a moz-do-not-send="true"
href="http://www.go2uti.com/">UTi</a>
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">| 400 SW Sixth Ave, Suite 1100 | Portland |
Oregon | 97204 | USA<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"><a moz-do-not-send="true"
href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> |
O / C +1 503 953-1389 | Skype: mark.tovey2</span><span
style="color:#1F497D" lang="EN"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Rich Megginson [<a class="moz-txt-link-freetext" href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, July 16, 2013 1:00 PM<br>
<b>To:</b> Tovey, Mark<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Limit password
synchronization from Active Directory<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 07/16/2013 01:48 PM, Tovey, Mark
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> Is there a way to limit what user
accounts are synchronized from Active Directory? There are
around 15,000 entries in our production AD system, but
probably only about 300 of those need to have an account in
the IPA system. Can we set an attribute in the user
information in AD that would flag that this is a candidate
for replication, and lack of that attribute would cause an
account to be skipped?<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
No. The only thing you can do is create a special container
(cn=IPA users or ou=IPA users or something like that), move
the users you want to sync into that container, and sync
only that container.<br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"> Thanks,<o:p></o:p></p>
<p class="MsoNormal"> -Mark<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"> </span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">________________________________________________________________</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">Mark Tovey - UNIX Engineer | Service Strategy
& Design</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"
lang="EN-GB"><a moz-do-not-send="true"
href="http://www.go2uti.com/">UTi</a>
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB">| 400 SW Sixth Ave, Suite 1100 | Portland |
Oregon | 97204 | USA</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-GB"><a moz-do-not-send="true"
href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> | O
/ C +1 503 953-1389 | Skype: mark.tovey2</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Freeipa-users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></pre>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>