Hi,

PS there is a difference between password sync and user (win)sync, they run 
independently.

So you can do password sync without winsync.  Password sync puts a msi on the 
AD box to intercept the password and send it on before its encrypted (as I 
understand it)....that might also give your AD admins kittens....

;]

We also run IPA admins (who can log into the web ui) as a seperate user ID 
unique in IPA, that way if AD gets hacked the hacker doesnt get to own IPA as 
well via a password change.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Tovey, Mark [mto...@go2uti.com]
Sent: Wednesday, 17 July 2013 10:06 a.m.
To: Rich Megginson
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory


    Ouch!   The AD admins have already expressed an unwillingness to move some 
users into a separate container.  And I don’t want to have several thousand 
unnecessary entries in my IPA system.  It looks like password synchronization 
is not going to be an option.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

    Is there a way to limit what user accounts are synchronized from Active 
Directory?  There are around 15,000 entries in our production AD system, but 
probably only about 300 of those need to have an account in the IPA system.  
Can we set an attribute in the user information in AD that would flag that this 
is a candidate for replication, and lack of that attribute would cause an 
account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or 
ou=IPA users or something like that), move the users you want to sync into that 
container, and sync only that container.


    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2





_______________________________________________

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to