>From the RH manual,
"15.6.3. Exempting Active Directory Users from Password Synchronization"
So the heading says I can?
or I cannot?
"ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
add: passSyncManagersDNs passSyncManagersDNs:
Where the user would say be me, so I have to have a different password in IPA
If I cannot then the manual heading above is very confusing...
In terms of
"Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords."
I did wonder but when I tested a normal user, there was no password reset
required, the AD password just worked with teh rhle6 client login, no issues,
So I am confused.
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
0064 4 463 6272
clude a user from passync the identity guide says run,
> "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
> Which means every time I want to exclude a user I have to do this via the
> command line and also I dont see how its easily and quickly auditable either.
> eg how do I check who is and isnt excluded?
> Now if its a IPA user group called say "excluded passsync users" and I just
> drop the user(s) in, its very easy to do and look at to audit.
This isn't what passSyncManagersDNs does. What this value does is list
the users who can change a password without requiring a reset of that
Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords.
I like your idea of a group, can you file an RFE on this?
Freeipa-users mailing list