On 07/16/2013 04:28 PM, Steven Jones wrote:
Hi,
PS there is a difference between password sync and user (win)sync,
they run independently.
So you can do password sync without winsync. Password sync puts a msi
on the AD box to intercept the password and send it on before its
encrypted (as I understand it)....
Correct.
that might also give your AD admins kittens....
Also correct, which is why the preferred long term solution is cross
domain trust.
;]
We also run IPA admins (who can log into the web ui) as a seperate
user ID unique in IPA, that way if AD gets hacked the hacker doesnt
get to own IPA as well via a password change.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
------------------------------------------------------------------------
*From:* freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark
[mto...@go2uti.com]
*Sent:* Wednesday, 17 July 2013 10:06 a.m.
*To:* Rich Megginson
*Cc:* Freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Limit password synchronization from
Active Directory
Ouch! The AD admins have already expressed an unwillingness to move
some users into a separate container. And I don't want to have
several thousand unnecessary entries in my IPA system. It looks like
password synchronization is not going to be an option.
Thanks,
-Mark
**
*________________________________________________________________*
*Mark Tovey - UNIX Engineer | Service Strategy & Design*
UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
| Oregon | 97204 | USA
mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 |
Skype: mark.tovey2
*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 1:00 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Limit password synchronization from
Active Directory
On 07/16/2013 01:48 PM, Tovey, Mark wrote:
Is there a way to limit what user accounts are synchronized
from Active Directory? There are around 15,000 entries in our
production AD system, but probably only about 300 of those need to
have an account in the IPA system. Can we set an attribute in the
user information in AD that would flag that this is a candidate
for replication, and lack of that attribute would cause an account
to be skipped?
No. The only thing you can do is create a special container (cn=IPA
users or ou=IPA users or something like that), move the users you want
to sync into that container, and sync only that container.
Thanks,
-Mark
**
*________________________________________________________________*
*Mark Tovey - UNIX Engineer | Service Strategy & Design*
UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
| Oregon | 97204 | USA
mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 |
Skype: mark.tovey2
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users