At the end of the day, all we really need is password and preferably 
account disabling synchronized.  The rest is not absolutely necessary.  I saw 
that part of the documentation, but did not fully understand it (in a hurry!).  
Now that I see it in a different light, it becomes much clearer.  I will look 
into this.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 3:17 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 04:06 PM, Tovey, Mark wrote:

    Ouch!   The AD admins have already expressed an unwillingness to move some 
users into a separate container.  And I don't want to have several thousand 
unnecessary entries in my IPA system.  It looks like password synchronization 
is not going to be an option.

With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to sync, 
and at the same time add the attribute ntUserDomainID: username (corresponds to 
the AD user samAccountName attribute).  This will "link" the IPA user entry to 
the corresponding AD user entry.

You mention password sync and user sync - I'm not sure if you mean them 
separately, or if you are implying that they have to be used together - they do 
not.  You should be able to install PassSync on your domain controllers 
_without configuring a winsync agreement in IPA_.  PassSync should then just 
ignore password changes for users that it cannot find in IPA.



    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

    Is there a way to limit what user accounts are synchronized from Active 
Directory?  There are around 15,000 entries in our production AD system, but 
probably only about 300 of those need to have an account in the IPA system.  
Can we set an attribute in the user information in AD that would flag that this 
is a candidate for replication, and lack of that attribute would cause an 
account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or 
ou=IPA users or something like that), move the users you want to sync into that 
container, and sync only that container.



    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2






_______________________________________________

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to