<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \, serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> We can live with that. We want to be able to disable an account in AD and have that flow out to our *nix servers. If we make the procedure to delete the password in AD, that should effectively disable the
account in IPA as well.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> -Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">________________________________________________________________<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">Mark Tovey - UNIX Engineer | Service Strategy & Design<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"><a href="http://www.go2uti.com/">UTi</a>
</span><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray">| 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"><a href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> | O / C +1 503 953-1389</span><span lang="EN" style="color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Rich Megginson [mailto:rmeggins@redhat.com]
<br>
<b>Sent:</b> Tuesday, July 16, 2013 3:53 PM<br>
<b>To:</b> Tovey, Mark<br>
<b>Cc:</b> Freeipa-users@redhat.com<br>
<b>Subject:</b> Re: [Freeipa-users] Limit password synchronization from Active Directory<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 07/16/2013 04:50 PM, Tovey, Mark wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> At the end of the day, all we really need is password</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
You can do this with just PassSync on AD and without the rest of winsync.<br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">and preferably account disabling synchronized.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
You have to use winsync for that.<br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The rest is not absolutely necessary. I saw that part of the documentation, but did not fully understand it (in a hurry!). Now that I see it in a different light, it becomes much clearer. I will look into
this.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> -Mark</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"> </span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">________________________________________________________________</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">Mark Tovey - UNIX Engineer | Service Strategy & Design</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"><a href="http://www.go2uti.com/">UTi</a>
</span><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray">| 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"><a href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> | O / C +1 503 953-1389</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Rich Megginson [<a href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, July 16, 2013 3:17 PM<br>
<b>To:</b> Tovey, Mark<br>
<b>Cc:</b> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Limit password synchronization from Active Directory</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 07/16/2013 04:06 PM, Tovey, Mark wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> Ouch! The AD admins have already expressed an unwillingness to move some users into a separate container. And I don’t want to have several thousand unnecessary entries in my IPA system. It looks like
password synchronization is not going to be an option.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman , serif","serif""><br>
With 389 it is possible to disable sync of AD user creation to DS.<br>
<a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html</a><br>
<br>
12.4.4.2. Configuring User Sync in the Command Line<br>
<br>
To disable user sync, set nsds7NewWinUserSyncEnabled: off<br>
<br>
Then, you will add the ntUser objectclass to each IPA user you want to sync, and at the same time add the attribute ntUserDomainID: username (corresponds to the AD user samAccountName attribute). This will "link" the IPA user entry to the corresponding AD
user entry.<br>
<br>
You mention password sync and user sync - I'm not sure if you mean them separately, or if you are implying that they have to be used together - they do not. You should be able to install PassSync on your domain controllers _without configuring a winsync agreement
in IPA_. PassSync should then just ignore password changes for users that it cannot find in IPA.<br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> -Mark</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"> </span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">________________________________________________________________</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">Mark Tovey - UNIX Engineer | Service Strategy & Design</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"><a href="http://www.go2uti.com/">UTi</a>
</span><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray">| 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"><a href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> | O / C +1 503 953-1389 | Skype: mark.tovey2</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Rich Megginson [<a href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, July 16, 2013 1:00 PM<br>
<b>To:</b> Tovey, Mark<br>
<b>Cc:</b> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Limit password synchronization from Active Directory</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 07/16/2013 01:48 PM, Tovey, Mark wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> Is there a way to limit what user accounts are synchronized from Active Directory? There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system. Can we
set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped?<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt"><br>
No. The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container.<br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"> Thanks,<o:p></o:p></p>
<p class="MsoNormal"> -Mark<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"> </span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">________________________________________________________________</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">Mark Tovey - UNIX Engineer | Service Strategy & Design</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"><a href="http://www.go2uti.com/">UTi</a>
</span><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray">| 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"><a href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> | O / C +1 503 953-1389 | Skype: mark.tovey2</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Freeipa-users mailing list<o:p></o:p></pre>
<pre><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><o:p></o:p></pre>
<pre><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman , serif","serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
</body>
</html>