On Wed, 2013-11-13 at 00:14 +0000, Steven Jones wrote:
> >From the RH manual,
> "15.6.3. Exempting Active Directory Users from Password Synchronization"
This paragraph is completely misguiding, sorry, we'll open a doc bug to
correct the explanation.
The list of uses set in passSyncManagersDNs is allowed to set passwords
for any user without triggering password policy requirements. In the
synchronization case it means that although an 'administrative' account
is resetting another user passwrod, that password is not marked for
immediate reset like it normally happens, it is indeed considered valid
It has nothing to do with expempting users from password
Please DO NOT list regular, non administrative users in that attribute.
> So the heading says I can?
> or I cannot?
> by running,
> "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs passSyncManagersDNs:
> Where the user would say be me, so I have to have a different password in IPA
> to AD.
> If I cannot then the manual heading above is very confusing...
> In terms of
> "Without this then when a new password is synced from AD it would require
> a reset, which sort of defeats the point of syncing passwords."
> I did wonder but when I tested a normal user, there was no password reset
> required, the AD password just worked with teh rhle6 client login, no issues,
> no reset.
> So I am confused.
> Steven Jones
> Technical Specialist - Linux RHCE
> Victoria University ITS,
> Level 8 Rankin Brown Building,
> Wellington, NZ
> 0064 4 463 6272
> clude a user from passync the identity guide says run,
> > "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p
> > 389
> > dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> > changetype: modify
> > add: passSyncManagersDNs
> > passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
> > Which means every time I want to exclude a user I have to do this via the
> > command line and also I dont see how its easily and quickly auditable
> > either.
> > eg how do I check who is and isnt excluded?
> > Now if its a IPA user group called say "excluded passsync users" and I just
> > drop the user(s) in, its very easy to do and look at to audit.
> This isn't what passSyncManagersDNs does. What this value does is list
> the users who can change a password without requiring a reset of that
> Without this then when a new password is synced from AD it would require
> a reset, which sort of defeats the point of syncing passwords.
> I like your idea of a group, can you file an RFE on this?
> Freeipa-users mailing list
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list