Hi

>From the RH manual,

"15.6.3. Exempting Active Directory Users from Password Synchronization"

So the heading says I can?

or I cannot?

by running,

 "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
 changetype: modify
add: passSyncManagersDNs passSyncManagersDNs: 
uid=user,cn=users,cn=accounts,dc=example,dc=com"

Where the user would say be me, so I have to have a different password in IPA 
to AD.

If I cannot then the manual heading above is very confusing...

In terms of

"Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords."

I did wonder but when I tested a normal user, there was no password reset 
required, the AD password just worked with teh rhle6 client login, no issues, 
no reset.

So I am confused.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ

6012

0064 4 463 6272

clude a user from passync the identity guide says run,
>
> "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
>
> Which means every time I want to exclude a user I have to do this via the 
> command line and also I dont see how its easily and quickly auditable either.
>
> eg how do I check who is and isnt excluded?
>
> Now if its a IPA user group called say "excluded passsync users" and I just 
> drop the user(s) in, its very easy to do and look at to audit.

This isn't what passSyncManagersDNs does. What this value does is list
the users who can change a password without requiring a reset of that
password.

Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords.

I like your idea of a group, can you file an RFE on this?

rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to