Steven Jones wrote:

It cannot be a wildcard:
              if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
                  pwdata.changetype = IPA_CHANGETYPE_DSMGR;
but it is multivalued.


This is over my head


What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs 
is what you want for that, unless I'm mistaken.


Ok,  so at present when I setup a new user with a temp password in IPA and give 
it to the user they have to set a new one on first login to a client.

Once password(s) flow through from AD I don't want the reset password feature in IPA to 
be functional when a user "first" logs in.

That is what the passsyncmanagersdn does, bypasses policy checks. It doesn't look at the individual entry being replicated, it looks at the user who is bound and doing the replication.


Freeipa-users mailing list

Reply via email to