Thanks,
-Mark
**
*________________________________________________________________*
*Mark Tovey - UNIX Engineer | Service Strategy & Design*
UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
| Oregon | 97204 | USA
mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389
*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 4:06 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Limit password synchronization from
Active Directory
On 07/16/2013 05:00 PM, Tovey, Mark wrote:
We can live with that. We want to be able to disable an
account in AD and have that flow out to our *nix servers. If we
make the procedure to delete the password in AD, that should
effectively disable the account in IPA as well.
I don't think PassSync will sync password deletion events.
Thanks,
-Mark
**
*________________________________________________________________*
*Mark Tovey - UNIX Engineer | Service Strategy & Design*
UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
| Oregon | 97204 | USA
mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389
*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 3:53 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] Limit password synchronization from
Active Directory
On 07/16/2013 04:50 PM, Tovey, Mark wrote:
At the end of the day, all we really need is password
You can do this with just PassSync on AD and without the rest of winsync.
and preferably account disabling synchronized.
You have to use winsync for that.
The rest is not absolutely necessary. I saw that part of the
documentation, but did not fully understand it (in a hurry!). Now
that I see it in a different light, it becomes much clearer. I will
look into this.
Thanks,
-Mark
**
*________________________________________________________________*
*Mark Tovey - UNIX Engineer | Service Strategy & Design*
UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
| Oregon | 97204 | USA
mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389
*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 3:17 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] Limit password synchronization from
Active Directory
On 07/16/2013 04:06 PM, Tovey, Mark wrote:
Ouch! The AD admins have already expressed an unwillingness to
move some users into a separate container. And I don't want to
have several thousand unnecessary entries in my IPA system. It
looks like password synchronization is not going to be an option.
With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html
12.4.4.2. Configuring User Sync in the Command Line
To disable user sync, set nsds7NewWinUserSyncEnabled: off
Then, you will add the ntUser objectclass to each IPA user you want to
sync, and at the same time add the attribute ntUserDomainID: username
(corresponds to the AD user samAccountName attribute). This will
"link" the IPA user entry to the corresponding AD user entry.
You mention password sync and user sync - I'm not sure if you mean
them separately, or if you are implying that they have to be used
together - they do not. You should be able to install PassSync on
your domain controllers _without configuring a winsync agreement in
IPA_. PassSync should then just ignore password changes for users
that it cannot find in IPA.
Thanks,
-Mark
**
*________________________________________________________________*
*Mark Tovey - UNIX Engineer | Service Strategy & Design*
UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
| Oregon | 97204 | USA
mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 |
Skype: mark.tovey2
*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 1:00 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] Limit password synchronization from
Active Directory
On 07/16/2013 01:48 PM, Tovey, Mark wrote:
Is there a way to limit what user accounts are synchronized
from Active Directory? There are around 15,000 entries in our
production AD system, but probably only about 300 of those need to
have an account in the IPA system. Can we set an attribute in the
user information in AD that would flag that this is a candidate
for replication, and lack of that attribute would cause an account
to be skipped?
No. The only thing you can do is create a special container (cn=IPA
users or ou=IPA users or something like that), move the users you want
to sync into that container, and sync only that container.
Thanks,
-Mark
**
*________________________________________________________________*
*Mark Tovey - UNIX Engineer | Service Strategy & Design*
UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
| Oregon | 97204 | USA
mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 |
Skype: mark.tovey2
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
