On 03/27/2012 05:01 PM, Dmitri Pal wrote:
On 03/27/2012 06:24 PM, Steven Jones wrote:
Hi,
We want to do a one way password sync from AD to IPA for staff but not students
as they are a different AD domain,
can we do a one way sync?
Yes
one way sync for everything or one way sync for everything except
student passwords? the former is easy, the latter is not possible afaik
Oh wait, also while I can only do one winsync to one AD domain, can I do a
password sync from 2 ADs to one IPA domain?
No. One Domain.
IPA can sync only from one AD domain. And it can't sync users back (DS can).
ipa winsync cannot add users added to IPA to AD - you'll have to add
those manually to AD, then they will be in sync for modify operations.
7.4.3 talks about every password change wanting a reset.....
Yes because you need to capture passwords and create hashes in LDAP for
that passwords need to be reset and passsync needs to be put on the AD
to capture the changes.
This is ugly this is why we spending so much time and effort on building
trusts so that IPA can just accept AD tickets without any sync.
+1
So it there a way to disable this for all or some groups of users?
I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc
could be,
uid=*,cn=staff,cn=accounts,dc=etc......
I will leave to Rich to explain this
It cannot be a wildcard:
if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
pwdata.changetype = IPA_CHANGETYPE_DSMGR;
break;
}
but it is multivalued.
What exactly are you trying to do? Defeat password sync for
uid=*,cn=staff,cn=accounts,dc=etc ? Because I don't think passSyncManagersDNs
is what you want for that, unless I'm mistaken.
?
Since Im setting the password complexity in AD and Psync I assume that I simply
do not want any policy for most users....but I still will need a global for
users who are not in AD.
Correct
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 28 March 2012 11:16 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync
Steven Jones wrote:
Section 7.4.2 on password sync calls for a download of a
PassSync.msi...I cannot locate this....so your doc needs updating I think.
For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
cn=etc, then the dc= usual bits
I assume the two cn='s are "standard"?
It isn't incorrect, if that is what you are asking. cn is a multi-valued
attribute.
number 4 point 4 ou=People,dc=example,dc=com is a "standard"?
It is merely an example. I think the default location for AD users is
ou=Users.
So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz
You'd want to check with your AD administrator(s).
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
