On 03/27/2012 05:01 PM, Dmitri Pal wrote:
On 03/27/2012 06:24 PM, Steven Jones wrote:

We want to do a one way password sync from AD to IPA for staff but not students 
as they are a different AD domain,

can we do a one way sync?
one way sync for everything or one way sync for everything except student passwords? the former is easy, the latter is not possible afaik

Oh wait, also while I can only do one winsync to one AD domain, can I do a 
password sync from 2 ADs to one IPA domain?
No. One Domain.
IPA can sync only from one AD domain. And it can't sync users back (DS can).
ipa winsync cannot add users added to IPA to AD - you'll have to add those manually to AD, then they will be in sync for modify operations.

7.4.3 talks about every password change wanting a reset.....
Yes because you need to capture passwords and create hashes in LDAP for
that passwords need to be reset and passsync needs to be put on the AD
to capture the changes.
This is ugly this is why we spending so much time and effort on building
trusts so that IPA can just accept AD tickets without any sync.

So it there a way to disable this for all or some groups of users?

I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc

could be,

I will leave to Rich to explain this
It cannot be a wildcard:
            if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
                pwdata.changetype = IPA_CHANGETYPE_DSMGR;
but it is multivalued.

What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs 
is what you want for that, unless I'm mistaken.


Since Im setting the password complexity in AD and Psync I assume that I simply 
do not want any policy for most users....but I still will need a global for 
users who are not in AD.

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 28 March 2012 11:16 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

Steven Jones wrote:
Section 7.4.2 on password sync calls for a download of a
PassSync.msi...I cannot locate this....so your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
cn=etc, then the dc= usual bits

I assume the two cn='s are "standard"?
It isn't incorrect, if that is what you are asking. cn is a multi-valued

number 4 point 4 ou=People,dc=example,dc=com is a "standard"?
It is merely an example. I think the default location for AD users is

So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz
You'd want to check with your AD administrator(s).


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to