Okay, I can see that I am just going to have to fire this up and play with
it until I better understand what I can do and can't do. But it sounds like I
have enough options available to me now that I can make something acceptable
work. The first step is going to be to get the AD admins to set up the
replication on their end. We probably should start with a subcontainer anyway
just so that I don't end up with the entire AD system inadvertently being
replicated over. Once we are familiar with it, then we can work out what the
best configuration will be for how we want to operate.
Thanks,
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 5:44 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active
Directory
On 07/16/2013 05:33 PM, Tovey, Mark wrote:
You make this difficult!:) But after explaining what we are trying to
accomplish here to our AD Architect, he offered some flexibility with the
subcontainer option. My users may have to live with two accounts in AD (one
for everyday functions like email, the other for extra access like *nix), but
that will allow our User Account Management team to enable, disable, and reset
accounts from within one tool. Actual server access will still be managed by
our Unix team through IPA.
You can't just disable sync of AD user creation? And just add the sync
attributes to the IPA entries you want to sync?
Thanks,
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 4:06 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active
Directory
On 07/16/2013 05:00 PM, Tovey, Mark wrote:
We can live with that. We want to be able to disable an account in AD and
have that flow out to our *nix servers. If we make the procedure to delete the
password in AD, that should effectively disable the account in IPA as well.
I don't think PassSync will sync password deletion events.
Thanks,
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 3:53 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active
Directory
On 07/16/2013 04:50 PM, Tovey, Mark wrote:
At the end of the day, all we really need is password
You can do this with just PassSync on AD and without the rest of winsync.
and preferably account disabling synchronized.
You have to use winsync for that.
The rest is not absolutely necessary. I saw that part of the documentation,
but did not fully understand it (in a hurry!). Now that I see it in a
different light, it becomes much clearer. I will look into this.
Thanks,
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 3:17 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active
Directory
On 07/16/2013 04:06 PM, Tovey, Mark wrote:
Ouch! The AD admins have already expressed an unwillingness to move some
users into a separate container. And I don't want to have several thousand
unnecessary entries in my IPA system. It looks like password synchronization
is not going to be an option.
With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html
12.4.4.2. Configuring User Sync in the Command Line
To disable user sync, set nsds7NewWinUserSyncEnabled: off
Then, you will add the ntUser objectclass to each IPA user you want to sync,
and at the same time add the attribute ntUserDomainID: username (corresponds to
the AD user samAccountName attribute). This will "link" the IPA user entry to
the corresponding AD user entry.
You mention password sync and user sync - I'm not sure if you mean them
separately, or if you are implying that they have to be used together - they do
not. You should be able to install PassSync on your domain controllers
_without configuring a winsync agreement in IPA_. PassSync should then just
ignore password changes for users that it cannot find in IPA.
Thanks,
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype:
mark.tovey2
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active
Directory
On 07/16/2013 01:48 PM, Tovey, Mark wrote:
Is there a way to limit what user accounts are synchronized from Active
Directory? There are around 15,000 entries in our production AD system, but
probably only about 300 of those need to have an account in the IPA system.
Can we set an attribute in the user information in AD that would flag that this
is a candidate for replication, and lack of that attribute would cause an
account to be skipped?
No. The only thing you can do is create a special container (cn=IPA users or
ou=IPA users or something like that), move the users you want to sync into that
container, and sync only that container.
Thanks,
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype:
mark.tovey2
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
