Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Tovey, Mark 

Okay, I can see that I am just going to have to fire this up and play with 
it until I better understand what I can do and can't do.  But it sounds like I 
have enough options available to me now that I can make something acceptable 
work.  The first step is going to be to get the AD admins to set up the 
replication on their end.  We probably should start with a subcontainer anyway 
just so that I don't end up with the entire AD system inadvertently being 
replicated over.  Once we are familiar with it, then we can work out what the 
best configuration will be for how we want to operate.
Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 5:44 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 05:33 PM, Tovey, Mark wrote:

You make this difficult!:)  But after explaining what we are trying to 
accomplish here to our AD Architect, he offered some flexibility with the 
subcontainer option.  My users may have to live with two accounts in AD (one 
for everyday functions like email, the other for extra access like *nix), but 
that will allow our User Account Management team to enable, disable, and reset 
accounts from within one tool.  Actual server access will still be managed by 
our Unix team through IPA.

You can't just disable sync of AD user creation?  And just add the sync 
attributes to the IPA entries you want to sync?


Thanks,
 -Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 4:06 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 05:00 PM, Tovey, Mark wrote:

We can live with that.  We want to be able to disable an account in AD and 
have that flow out to our *nix servers.  If we make the procedure to delete the 
password in AD, that should effectively disable the account in IPA as well.

I don't think PassSync will sync password deletion events.



Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 3:53 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 04:50 PM, Tovey, Mark wrote:

At the end of the day, all we really need is password

You can do this with just PassSync on AD and without the rest of winsync.




and preferably account disabling synchronized.

You have to use winsync for that.




The rest is not absolutely necessary.  I saw that part of the documentation, 
but did not fully understand it (in a hurry!).  Now that I see it in a 
different light, it becomes much clearer.  I will look into this.
Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 3:17 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 04:06 PM, Tovey, Mark wrote:

Ouch!   The AD admins have already expressed an unwillingness to move some 
users into a separate container.  And I don't want to have several thousand 
unnecessary entries in my IPA system.  It looks like password synchronization 
is not going to be an option.

With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set n

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Rich Megginson 

On 07/16/2013 05:33 PM, Tovey, Mark wrote:


You make this difficult!J  But after explaining what we are trying 
to accomplish here to our AD Architect, he offered some flexibility 
with the subcontainer option.  My users may have to live with two 
accounts in AD (one for everyday functions like email, the other for 
extra access like *nix), but that will allow our User Account 
Management team to enable, disable, and reset accounts from within one 
tool. Actual server access will still be managed by our Unix team 
through IPA.




You can't just disable sync of AD user creation?  And just add the sync 
attributes to the IPA entries you want to sync?



Thanks,

 -Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389

*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 4:06 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


On 07/16/2013 05:00 PM, Tovey, Mark wrote:

We can live with that.  We want to be able to disable an
account in AD and have that flow out to our *nix servers.  If we
make the procedure to delete the password in AD, that should
effectively disable the account in IPA as well.


I don't think PassSync will sync password deletion events.


Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389

*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 3:53 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


On 07/16/2013 04:50 PM, Tovey, Mark wrote:

At the end of the day, all we really need is password


You can do this with just PassSync on AD and without the rest of winsync.



and preferably account disabling synchronized.


You have to use winsync for that.



The rest is not absolutely necessary.  I saw that part of the 
documentation, but did not fully understand it (in a hurry!).  Now 
that I see it in a different light, it becomes much clearer.  I will 
look into this.


Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389

*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 3:17 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


On 07/16/2013 04:06 PM, Tovey, Mark wrote:

Ouch! The AD admins have already expressed an unwillingness to
move some users into a separate container.  And I don't want to
have several thousand unnecessary entries in my IPA system.  It
looks like password synchronization is not going to be an option.


With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to 
sync, and at the same time add the attribute ntUserDomainID: username 
(corresponds to the AD user samAccountName attribute).  This will 
"link" the IPA user entry to the corresponding AD user entry.


You mention password sync and user sync - I'm not sure if you mean 
them separately, or if you are implying that they have to be used 
together - they do not.  You should be able to install PassSync on 
your domain controllers _without configuring a winsync agreement in 
IPA_.  PassSync should then just ignore password changes for users 
that it cannot find in IPA.






Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
Skype: mark.tovey2


*From:*Rich Megginson

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Tovey, Mark 

You make this difficult!  :)  But after explaining what we are trying to 
accomplish here to our AD Architect, he offered some flexibility with the 
subcontainer option.  My users may have to live with two accounts in AD (one 
for everyday functions like email, the other for extra access like *nix), but 
that will allow our User Account Management team to enable, disable, and reset 
accounts from within one tool.  Actual server access will still be managed by 
our Unix team through IPA.
Thanks,
 -Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 4:06 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 05:00 PM, Tovey, Mark wrote:

We can live with that.  We want to be able to disable an account in AD and 
have that flow out to our *nix servers.  If we make the procedure to delete the 
password in AD, that should effectively disable the account in IPA as well.

I don't think PassSync will sync password deletion events.


Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 3:53 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 04:50 PM, Tovey, Mark wrote:

At the end of the day, all we really need is password

You can do this with just PassSync on AD and without the rest of winsync.



and preferably account disabling synchronized.

You have to use winsync for that.



The rest is not absolutely necessary.  I saw that part of the documentation, 
but did not fully understand it (in a hurry!).  Now that I see it in a 
different light, it becomes much clearer.  I will look into this.
Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 3:17 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 04:06 PM, Tovey, Mark wrote:

Ouch!   The AD admins have already expressed an unwillingness to move some 
users into a separate container.  And I don't want to have several thousand 
unnecessary entries in my IPA system.  It looks like password synchronization 
is not going to be an option.

With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to sync, 
and at the same time add the attribute ntUserDomainID: username (corresponds to 
the AD user samAccountName attribute).  This will "link" the IPA user entry to 
the corresponding AD user entry.

You mention password sync and user sync - I'm not sure if you mean them 
separately, or if you are implying that they have to be used together - they do 
not.  You should be able to install PassSync on your domain controllers 
_without configuring a winsync agreement in IPA_.  PassSync should then just 
ignore password changes for users that it cannot find in IPA.





Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

Is there a way t

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Rich Megginson 

On 07/16/2013 04:28 PM, Steven Jones wrote:

Hi,

PS there is a difference between password sync and user (win)sync, 
they run independently.


So you can do password sync without winsync.  Password sync puts a msi 
on the AD box to intercept the password and send it on before its 
encrypted (as I understand it)

Correct.

that might also give your AD admins kittens
Also correct, which is why the preferred long term solution is cross 
domain trust.


;]

We also run IPA admins (who can log into the web ui) as a seperate 
user ID unique in IPA, that way if AD gets hacked the hacker doesnt 
get to own IPA as well via a password change.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark 
[mto...@go2uti.com]

*Sent:* Wednesday, 17 July 2013 10:06 a.m.
*To:* Rich Megginson
*Cc:* Freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


Ouch!   The AD admins have already expressed an unwillingness to move 
some users into a separate container.  And I don't want to have 
several thousand unnecessary entries in my IPA system.  It looks like 
password synchronization is not going to be an option.


Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
Skype: mark.tovey2


*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 1:00 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


On 07/16/2013 01:48 PM, Tovey, Mark wrote:

Is there a way to limit what user accounts are synchronized
from Active Directory? There are around 15,000 entries in our
production AD system, but probably only about 300 of those need to
have an account in the IPA system.  Can we set an attribute in the
user information in AD that would flag that this is a candidate
for replication, and lack of that attribute would cause an account
to be skipped?


No.  The only thing you can do is create a special container (cn=IPA 
users or ou=IPA users or something like that), move the users you want 
to sync into that container, and sync only that container.



Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
Skype: mark.tovey2





___
Freeipa-users mailing list
Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Rich Megginson 

On 07/16/2013 05:00 PM, Tovey, Mark wrote:


We can live with that.  We want to be able to disable an account 
in AD and have that flow out to our *nix servers.  If we make the 
procedure to delete the password in AD, that should effectively 
disable the account in IPA as well.




I don't think PassSync will sync password deletion events.


Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389

*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 3:53 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


On 07/16/2013 04:50 PM, Tovey, Mark wrote:

At the end of the day, all we really need is password


You can do this with just PassSync on AD and without the rest of winsync.


and preferably account disabling synchronized.


You have to use winsync for that.


The rest is not absolutely necessary.  I saw that part of the 
documentation, but did not fully understand it (in a hurry!).  Now 
that I see it in a different light, it becomes much clearer.  I will 
look into this.


Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389

*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 3:17 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


On 07/16/2013 04:06 PM, Tovey, Mark wrote:

Ouch! The AD admins have already expressed an unwillingness to
move some users into a separate container.  And I don't want to
have several thousand unnecessary entries in my IPA system.  It
looks like password synchronization is not going to be an option.


With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to 
sync, and at the same time add the attribute ntUserDomainID: username 
(corresponds to the AD user samAccountName attribute).  This will 
"link" the IPA user entry to the corresponding AD user entry.


You mention password sync and user sync - I'm not sure if you mean 
them separately, or if you are implying that they have to be used 
together - they do not.  You should be able to install PassSync on 
your domain controllers _without configuring a winsync agreement in 
IPA_.  PassSync should then just ignore password changes for users 
that it cannot find in IPA.





Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
Skype: mark.tovey2


*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 1:00 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


On 07/16/2013 01:48 PM, Tovey, Mark wrote:

Is there a way to limit what user accounts are synchronized
from Active Directory?  There are around 15,000 entries in our
production AD system, but probably only about 300 of those need to
have an account in the IPA system.  Can we set an attribute in the
user information in AD that would flag that this is a candidate
for replication, and lack of that attribute would cause an account
to be skipped?


No.  The only thing you can do is create a special container (cn=IPA 
users or ou=IPA users or something like that), move the users you want 
to sync into that container, and sync only that container.





Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
Skype: mark.t

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Tovey, Mark 

We can live with that.  We want to be able to disable an account in AD and 
have that flow out to our *nix servers.  If we make the procedure to delete the 
password in AD, that should effectively disable the account in IPA as well.
Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 3:53 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 04:50 PM, Tovey, Mark wrote:

At the end of the day, all we really need is password

You can do this with just PassSync on AD and without the rest of winsync.


and preferably account disabling synchronized.

You have to use winsync for that.


The rest is not absolutely necessary.  I saw that part of the documentation, 
but did not fully understand it (in a hurry!).  Now that I see it in a 
different light, it becomes much clearer.  I will look into this.
Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 3:17 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 04:06 PM, Tovey, Mark wrote:

Ouch!   The AD admins have already expressed an unwillingness to move some 
users into a separate container.  And I don't want to have several thousand 
unnecessary entries in my IPA system.  It looks like password synchronization 
is not going to be an option.

With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to sync, 
and at the same time add the attribute ntUserDomainID: username (corresponds to 
the AD user samAccountName attribute).  This will "link" the IPA user entry to 
the corresponding AD user entry.

You mention password sync and user sync - I'm not sure if you mean them 
separately, or if you are implying that they have to be used together - they do 
not.  You should be able to install PassSync on your domain controllers 
_without configuring a winsync agreement in IPA_.  PassSync should then just 
ignore password changes for users that it cannot find in IPA.




Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

Is there a way to limit what user accounts are synchronized from Active 
Directory?  There are around 15,000 entries in our production AD system, but 
probably only about 300 of those need to have an account in the IPA system.  
Can we set an attribute in the user information in AD that would flag that this 
is a candidate for replication, and lack of that attribute would cause an 
account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or 
ou=IPA users or something like that), move the users you want to sync into that 
container, and sync only that container.




Thanks,
-Mark


Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2







___

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users



_

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Rich Megginson 

On 07/16/2013 04:50 PM, Tovey, Mark wrote:


At the end of the day, all we really need is password



You can do this with just PassSync on AD and without the rest of winsync.


and preferably account disabling synchronized.



You have to use winsync for that.

The rest is not absolutely necessary.  I saw that part of the 
documentation, but did not fully understand it (in a hurry!).  Now 
that I see it in a different light, it becomes much clearer.  I will 
look into this.


Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389

*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 3:17 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


On 07/16/2013 04:06 PM, Tovey, Mark wrote:

Ouch! The AD admins have already expressed an unwillingness to
move some users into a separate container.  And I don't want to
have several thousand unnecessary entries in my IPA system.  It
looks like password synchronization is not going to be an option.


With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to 
sync, and at the same time add the attribute ntUserDomainID: username 
(corresponds to the AD user samAccountName attribute).  This will 
"link" the IPA user entry to the corresponding AD user entry.


You mention password sync and user sync - I'm not sure if you mean 
them separately, or if you are implying that they have to be used 
together - they do not.  You should be able to install PassSync on 
your domain controllers _without configuring a winsync agreement in 
IPA_.  PassSync should then just ignore password changes for users 
that it cannot find in IPA.




Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
Skype: mark.tovey2


*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 1:00 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


On 07/16/2013 01:48 PM, Tovey, Mark wrote:

Is there a way to limit what user accounts are synchronized
from Active Directory?  There are around 15,000 entries in our
production AD system, but probably only about 300 of those need to
have an account in the IPA system.  Can we set an attribute in the
user information in AD that would flag that this is a candidate
for replication, and lack of that attribute would cause an account
to be skipped?


No.  The only thing you can do is create a special container (cn=IPA 
users or ou=IPA users or something like that), move the users you want 
to sync into that container, and sync only that container.




Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
Skype: mark.tovey2






___
Freeipa-users mailing list
Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Tovey, Mark 

At the end of the day, all we really need is password and preferably 
account disabling synchronized.  The rest is not absolutely necessary.  I saw 
that part of the documentation, but did not fully understand it (in a hurry!).  
Now that I see it in a different light, it becomes much clearer.  I will look 
into this.
Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 3:17 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 04:06 PM, Tovey, Mark wrote:

Ouch!   The AD admins have already expressed an unwillingness to move some 
users into a separate container.  And I don't want to have several thousand 
unnecessary entries in my IPA system.  It looks like password synchronization 
is not going to be an option.

With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to sync, 
and at the same time add the attribute ntUserDomainID: username (corresponds to 
the AD user samAccountName attribute).  This will "link" the IPA user entry to 
the corresponding AD user entry.

You mention password sync and user sync - I'm not sure if you mean them 
separately, or if you are implying that they have to be used together - they do 
not.  You should be able to install PassSync on your domain controllers 
_without configuring a winsync agreement in IPA_.  PassSync should then just 
ignore password changes for users that it cannot find in IPA.



Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

Is there a way to limit what user accounts are synchronized from Active 
Directory?  There are around 15,000 entries in our production AD system, but 
probably only about 300 of those need to have an account in the IPA system.  
Can we set an attribute in the user information in AD that would flag that this 
is a candidate for replication, and lack of that attribute would cause an 
account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or 
ou=IPA users or something like that), move the users you want to sync into that 
container, and sync only that container.



Thanks,
-Mark


Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2






___

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Steven Jones 
Hi,

PS there is a difference between password sync and user (win)sync, they run 
independently.

So you can do password sync without winsync.  Password sync puts a msi on the 
AD box to intercept the password and send it on before its encrypted (as I 
understand it)that might also give your AD admins kittens

;]

We also run IPA admins (who can log into the web ui) as a seperate user ID 
unique in IPA, that way if AD gets hacked the hacker doesnt get to own IPA as 
well via a password change.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Tovey, Mark [mto...@go2uti.com]
Sent: Wednesday, 17 July 2013 10:06 a.m.
To: Rich Megginson
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory


Ouch!   The AD admins have already expressed an unwillingness to move some 
users into a separate container.  And I don’t want to have several thousand 
unnecessary entries in my IPA system.  It looks like password synchronization 
is not going to be an option.
Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

Is there a way to limit what user accounts are synchronized from Active 
Directory?  There are around 15,000 entries in our production AD system, but 
probably only about 300 of those need to have an account in the IPA system.  
Can we set an attribute in the user information in AD that would flag that this 
is a candidate for replication, and lack of that attribute would cause an 
account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or 
ou=IPA users or something like that), move the users you want to sync into that 
container, and sync only that container.


Thanks,
-Mark


Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2





___

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Rich Megginson 

On 07/16/2013 04:06 PM, Tovey, Mark wrote:


Ouch!   The AD admins have already expressed an unwillingness to 
move some users into a separate container.  And I don't want to have 
several thousand unnecessary entries in my IPA system. It looks like 
password synchronization is not going to be an option.




With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to 
sync, and at the same time add the attribute ntUserDomainID: username 
(corresponds to the AD user samAccountName attribute). This will "link" 
the IPA user entry to the corresponding AD user entry.


You mention password sync and user sync - I'm not sure if you mean them 
separately, or if you are implying that they have to be used together - 
they do not.  You should be able to install PassSync on your domain 
controllers _without configuring a winsync agreement in IPA_.  PassSync 
should then just ignore password changes for users that it cannot find 
in IPA.




Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
Skype: mark.tovey2


*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Tuesday, July 16, 2013 1:00 PM
*To:* Tovey, Mark
*Cc:* Freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Limit password synchronization from 
Active Directory


On 07/16/2013 01:48 PM, Tovey, Mark wrote:

Is there a way to limit what user accounts are synchronized
from Active Directory?  There are around 15,000 entries in our
production AD system, but probably only about 300 of those need to
have an account in the IPA system.  Can we set an attribute in the
user information in AD that would flag that this is a candidate
for replication, and lack of that attribute would cause an account
to be skipped?


No.  The only thing you can do is create a special container (cn=IPA 
users or ou=IPA users or something like that), move the users you want 
to sync into that container, and sync only that container.



Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
Skype: mark.tovey2





___
Freeipa-users mailing list
Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Tovey, Mark 

Ouch!   The AD admins have already expressed an unwillingness to move some 
users into a separate container.  And I don't want to have several thousand 
unnecessary entries in my IPA system.  It looks like password synchronization 
is not going to be an option.
Thanks,
-Mark



Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active 
Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

Is there a way to limit what user accounts are synchronized from Active 
Directory?  There are around 15,000 entries in our production AD system, but 
probably only about 300 of those need to have an account in the IPA system.  
Can we set an attribute in the user information in AD that would flag that this 
is a candidate for replication, and lack of that attribute would cause an 
account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or 
ou=IPA users or something like that), move the users you want to sync into that 
container, and sync only that container.


Thanks,
-Mark


Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2





___

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Steven Jones 
Hi,

No, I dont think so.  Ive asked thisyou have to clean up AD / the contents 
of the container you are syncing.

We have 8000+ items at least 1/2 of which are not required, eg things like 
templates so when we sync we bring all of it across and it makes IPA a huge 
mess.  I'd like a rule to at least block something's eg anything called 
template*  which would help a lot.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Tovey, Mark [mto...@go2uti.com]
Sent: Wednesday, 17 July 2013 7:48 a.m.
To: Freeipa-users@redhat.com
Subject: [Freeipa-users] Limit password synchronization from Active Directory


Is there a way to limit what user accounts are synchronized from Active 
Directory?  There are around 15,000 entries in our production AD system, but 
probably only about 300 of those need to have an account in the IPA system.  
Can we set an attribute in the user information in AD that would flag that this 
is a candidate for replication, and lack of that attribute would cause an 
account to be skipped?
Thanks,
-Mark


Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com | O / C +1 503 953-1389 | Skype: 
mark.tovey2

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limit password synchronization from Active Directory

2013-07-16 Thread Rich Megginson 

On 07/16/2013 01:48 PM, Tovey, Mark wrote:


Is there a way to limit what user accounts are synchronized from 
Active Directory?  There are around 15,000 entries in our production 
AD system, but probably only about 300 of those need to have an 
account in the IPA system.  Can we set an attribute in the user 
information in AD that would flag that this is a candidate for 
replication, and lack of that attribute would cause an account to be 
skipped?




No.  The only thing you can do is create a special container (cn=IPA 
users or ou=IPA users or something like that), move the users you want 
to sync into that container, and sync only that container.



Thanks,

-Mark

**

**

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi  | 400 SW Sixth Ave, Suite 1100 | Portland 
| Oregon | 97204 | USA


mto...@go2uti.com  | O / C +1 503 953-1389 | 
Skype: mark.tovey2




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users