[Freeipa-users] Re: Syncing AD to IPA users

Thu, 09 Jun 2022 04:06:35 -0700 

On 09.06.22 09:32, Florence Blanc-Renaud wrote:

Hi,

On Thu, Jun 9, 2022 at 8:58 AM Ronald Wimmer via FreeIPA-users <
[email protected]> wrote:


On 25.04.22 18:21, Ronald Wimmer via FreeIPA-users wrote:

We managed to use IPA users as AIX users in our environment.
Preferrably, we would like to use users from an AD group directly what
does not seem to be possible without SSSD for AIX, right?

As an alternative it would be great to synchronize users in a specific
AD group to IPA users. I already have a draft of a python script in mind
that could do the job.

Is there any way go synchronize a user's password from AD?


After doing some research I found out that there are some products on
the market which are capable of doing that. So, what's the point here?
What is needed to make that possible?

Could someone with a deeper AD understanding shade a little light into
this matter?



IdM also provides a synchronization feature (between AD and IdM, please
refer to
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory
and more specifically
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/pass-sync
).
The synchronization of passwords requires a service to be installed and
configured on AD domain controllers. It cannot sync already existing
passwords (because they are stored in a hashed form) but is able to capture
password addition/changes and synchronize the new password to IdM.

Please note however that the doc states the following:
In some integration scenarios, the user synchronization may be the only
available option, but in general, use of the synchronization approach is
discouraged in favor of the cross-realm trust-based integration


Thanks for this info. It is the answer I was hoping for!

Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to