Re: [Freeipa-users] passwd sync

2012-03-29 Thread Rob Crittenden

Steven Jones wrote:

8--

It cannot be a wildcard:
  if (strcasecmp(krbcfg-passsync_mgrs[i], bindDN) == 0) {
  pwdata.changetype = IPA_CHANGETYPE_DSMGR;
  break;
  }
but it is multivalued.

8--

This is over my head

8--

What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs 
is what you want for that, unless I'm mistaken.

8

Ok,  so at present when I setup a new user with a temp password in IPA and give 
it to the user they have to set a new one on first login to a client.

Once password(s) flow through from AD I don't want the reset password feature in IPA to 
be functional when a user first logs in.


That is what the passsyncmanagersdn does, bypasses policy checks. It 
doesn't look at the individual entry being replicated, it looks at the 
user who is bound and doing the replication.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-28 Thread Steven Jones
8--

It cannot be a wildcard:
 if (strcasecmp(krbcfg-passsync_mgrs[i], bindDN) == 0) {
 pwdata.changetype = IPA_CHANGETYPE_DSMGR;
 break;
 }
but it is multivalued.

8--

This is over my head

8--

What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs 
is what you want for that, unless I'm mistaken.

8

Ok,  so at present when I setup a new user with a temp password in IPA and give 
it to the user they have to set a new one on first login to a client.

Once password(s) flow through from AD I don't want the reset password feature 
in IPA to be functional when a user first logs in.

regards


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-28 Thread Dmitri Pal
On 03/28/2012 03:50 PM, Steven Jones wrote:
 8--

 It cannot be a wildcard:
  if (strcasecmp(krbcfg-passsync_mgrs[i], bindDN) == 0) {
  pwdata.changetype = IPA_CHANGETYPE_DSMGR;
  break;
  }
 but it is multivalued.

 8--

 This is over my head

 8--

 What exactly are you trying to do?  Defeat password sync for

 uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think 
 passSyncManagersDNs is what you want for that, unless I'm mistaken.

 8

 Ok,  so at present when I setup a new user with a temp password in IPA and 
 give it to the user they have to set a new one on first login to a client.

 Once password(s) flow through from AD I don't want the reset password feature 
 in IPA to be functional when a user first logs in.

 regards


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

I do not think the password reset is required when you sync the users
from an external source. Only when you added a new user via CLI or UI or
migrated him.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-28 Thread Steven Jones
Hi,

That is cool, but I have not read that anywhere, can we get that bit written 
into the passsync section?  or have I missed it?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Thursday, 29 March 2012 8:53 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

On 03/28/2012 03:50 PM, Steven Jones wrote:
 8--

 It cannot be a wildcard:
  if (strcasecmp(krbcfg-passsync_mgrs[i], bindDN) == 0) {
  pwdata.changetype = IPA_CHANGETYPE_DSMGR;
  break;
  }
 but it is multivalued.

 8--

 This is over my head

 8--

 What exactly are you trying to do?  Defeat password sync for

 uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think 
 passSyncManagersDNs is what you want for that, unless I'm mistaken.

 8

 Ok,  so at present when I setup a new user with a temp password in IPA and 
 give it to the user they have to set a new one on first login to a client.

 Once password(s) flow through from AD I don't want the reset password feature 
 in IPA to be functional when a user first logs in.

 regards


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

I do not think the password reset is required when you sync the users
from an external source. Only when you added a new user via CLI or UI or
migrated him.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-28 Thread Simo Sorce
On Wed, 2012-03-28 at 20:12 +, Steven Jones wrote:
 Hi,
 
 That is cool, but I have not read that anywhere, can we get that bit written 
 into the passsync section?  or have I missed it?

This may shed some light:
http://freeipa.org/page/PasswordSynchronization

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-27 Thread Steven Jones
Or maybe its on the AD so its,

ou=People,dc=vuw,dc=ac,dc=nz

?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Wednesday, 28 March 2012 10:44 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] passwd sync

Section 7.4.2 on password sync calls for a download of a PassSync.msi...I 
cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts cn=etc, then 
the dc= usual bits

I assume the two cn='s are standard?

number 4 point 4 ou=People,dc=example,dc=com  is a standard?

So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

?



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 28 March 2012 10:36 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On 03/27/2012 03:47 PM, Steven Jones wrote:

Hi

Its possible the uninstall from one IPA realm didnt work properly before I 
joined it to another?

Anyway I have incl both logs just in case.  There is a suggestion that the 
kerberos ticket isnt right?



Seems like the client fails to get its name properly. Something related to the 
host name resolution is likely not correct.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Martin Kosek [mko...@redhat.commailto:mko...@redhat.com]
Sent: Tuesday, 27 March 2012 10:04 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:


Hi,

I just started adding hosts/clients but DNS isnt being updated for the 
client(s).

Screenshot of error is attached



Hello Steven,

there is something wrong with your host keytab. As written in the
output, ipa-client-install could not get a TGT for
host/vuwunicorh6w...@ods.vuw.ac.nzmailto:host/vuwunicorh6w...@ods.vuw.ac.nz 
and thus nsupdate which performs the
DNS update failed.

Can you please attach a relevant portion of ipaclient-install.log so
that we can get more information about why it failed?

Alternatively, you can list credentials in the keytab with this command
yourself:
# klist -kt /etc/krb5.keytab

To test obtaining the TGT from the host keytab and thus reproducing this
issue, you can run this command:
# kinit -k -t /etc/krb5.keytab 
host/vuwunicorh6w...@ods.vuw.ac.nzmailto:host/vuwunicorh6w...@ods.vuw.ac.nz

The command output itself, or KRB5KDC logs in IPA server should provide
a hint why the kinit fails.

Martin




___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Rich Megginson

On 03/27/2012 03:44 PM, Steven Jones wrote:
Section 7.4.2 on password sync calls for a download of a 
PassSync.msi...I cannot locate thisso your doc needs updating I think.
There is a version here  http://port389.org/wiki/Download -Windows 
Password Synchronization


For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts 
cn=etc, then the dc= usual bits


I assume the two cn='s are standard?

number 4 point 4 ou=People,dc=example,dc=com  is a standard?

So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal 
[d...@redhat.com]

*Sent:* Wednesday, 28 March 2012 10:36 a.m.
*To:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] hosts/clients joining IPA but dns 
updating not working


On 03/27/2012 03:47 PM, Steven Jones wrote:

Hi

Its possible the uninstall from one IPA realm didnt work properly before I 
joined it to another?

Anyway I have incl both logs just in case.  There is a suggestion that the 
kerberos ticket isnt right?



Seems like the client fails to get its name properly. Something 
related to the host name resolution is likely not correct.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Martin Kosek [mko...@redhat.com]
Sent: Tuesday, 27 March 2012 10:04 p.m.
To: Steven Jones
Cc:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:

Hi,

I just started adding hosts/clients but DNS isnt being updated for the 
client(s).

Screenshot of error is attached


Hello Steven,

there is something wrong with your host keytab. As written in the
output, ipa-client-install could not get a TGT for
host/vuwunicorh6w...@ods.vuw.ac.nz  and thus nsupdate which performs the
DNS update failed.

Can you please attach a relevant portion of ipaclient-install.log so
that we can get more information about why it failed?

Alternatively, you can list credentials in the keytab with this command
yourself:
# klist -kt /etc/krb5.keytab

To test obtaining the TGT from the host keytab and thus reproducing this
issue, you can run this command:
# kinit -k -t /etc/krb5.keytabhost/vuwunicorh6w...@ods.vuw.ac.nz

The command output itself, or KRB5KDC logs in IPA server should provide
a hint why the kinit fails.

Martin



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Dmitri Pal
On 03/27/2012 05:44 PM, Steven Jones wrote:
 Section 7.4.2 on password sync calls for a download of a
 PassSync.msi...I cannot locate thisso your doc needs updating I think.

 For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
 cn=etc, then the dc= usual bits

 I assume the two cn='s are standard? 

 number 4 point 4 ou=People,dc=example,dc=com  is a standard?  

 So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

 ?

Isn't it in a separate channel that needs to be added?



 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 *From:* freeipa-users-boun...@redhat.com
 [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
 [d...@redhat.com]
 *Sent:* Wednesday, 28 March 2012 10:36 a.m.
 *To:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] hosts/clients joining IPA but dns
 updating not working

 On 03/27/2012 03:47 PM, Steven Jones wrote:
 Hi

 Its possible the uninstall from one IPA realm didnt work properly before I 
 joined it to another?

 Anyway I have incl both logs just in case.  There is a suggestion that the 
 kerberos ticket isnt right?


 Seems like the client fails to get its name properly. Something
 related to the host name resolution is likely not correct.

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Martin Kosek [mko...@redhat.com]
 Sent: Tuesday, 27 March 2012 10:04 p.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
 working

 On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:
 Hi,

 I just started adding hosts/clients but DNS isnt being updated for the 
 client(s).

 Screenshot of error is attached

 Hello Steven,

 there is something wrong with your host keytab. As written in the
 output, ipa-client-install could not get a TGT for
 host/vuwunicorh6w...@ods.vuw.ac.nz and thus nsupdate which performs the
 DNS update failed.

 Can you please attach a relevant portion of ipaclient-install.log so
 that we can get more information about why it failed?

 Alternatively, you can list credentials in the keytab with this command
 yourself:
 # klist -kt /etc/krb5.keytab

 To test obtaining the TGT from the host keytab and thus reproducing this
 issue, you can run this command:
 # kinit -k -t /etc/krb5.keytab host/vuwunicorh6w...@ods.vuw.ac.nz

 The command output itself, or KRB5KDC logs in IPA server should provide
 a hint why the kinit fails.

 Martin



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


 -- 
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IPA project,
 Red Hat Inc.


 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Rob Crittenden

Steven Jones wrote:

Section 7.4.2 on password sync calls for a download of a
PassSync.msi...I cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
cn=etc, then the dc= usual bits

I assume the two cn='s are standard?


It isn't incorrect, if that is what you are asking. cn is a multi-valued 
attribute.



number 4 point 4 ou=People,dc=example,dc=com is a standard?


It is merely an example. I think the default location for AD users is 
ou=Users.



So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz


You'd want to check with your AD administrator(s).

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-27 Thread Steven Jones
Hi,

Dunno, I have raised a ticket with support to clarify where it is, I am unable 
to find it, the document doesn't say which channel.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 28 March 2012 11:07 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

On 03/27/2012 05:44 PM, Steven Jones wrote:
Section 7.4.2 on password sync calls for a download of a PassSync.msi...I 
cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts cn=etc, then 
the dc= usual bits

I assume the two cn='s are standard?

number 4 point 4 ou=People,dc=example,dc=com  is a standard?

So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

?

Isn't it in a separate channel that needs to be added?




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com]
Sent: Wednesday, 28 March 2012 10:36 a.m.
To: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On 03/27/2012 03:47 PM, Steven Jones wrote:

Hi

Its possible the uninstall from one IPA realm didnt work properly before I 
joined it to another?

Anyway I have incl both logs just in case.  There is a suggestion that the 
kerberos ticket isnt right?



Seems like the client fails to get its name properly. Something related to the 
host name resolution is likely not correct.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Martin Kosek [mko...@redhat.commailto:mko...@redhat.com]
Sent: Tuesday, 27 March 2012 10:04 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not 
working

On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote:


Hi,

I just started adding hosts/clients but DNS isnt being updated for the 
client(s).

Screenshot of error is attached



Hello Steven,

there is something wrong with your host keytab. As written in the
output, ipa-client-install could not get a TGT for
host/vuwunicorh6w...@ods.vuw.ac.nzmailto:host/vuwunicorh6w...@ods.vuw.ac.nz 
and thus nsupdate which performs the
DNS update failed.

Can you please attach a relevant portion of ipaclient-install.log so
that we can get more information about why it failed?

Alternatively, you can list credentials in the keytab with this command
yourself:
# klist -kt /etc/krb5.keytab

To test obtaining the TGT from the host keytab and thus reproducing this
issue, you can run this command:
# kinit -k -t /etc/krb5.keytab 
host/vuwunicorh6w...@ods.vuw.ac.nzmailto:host/vuwunicorh6w...@ods.vuw.ac.nz

The command output itself, or KRB5KDC logs in IPA server should provide
a hint why the kinit fails.

Martin




___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/





___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] passwd sync

2012-03-27 Thread Steven Jones
Hi,

We want to do a one way password sync from AD to IPA for staff but not students 
as they are a different AD domain, 

can we do a one way sync?

Oh wait, also while I can only do one winsync to one AD domain, can I do a 
password sync from 2 ADs to one IPA domain?

7.4.3 talks about every password change wanting a reset.

So it there a way to disable this for all or some groups of users?  

I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc

could be,

 uid=*,cn=staff,cn=accounts,dc=etc..

?

Since Im setting the password complexity in AD and Psync I assume that I simply 
do not want any policy for most usersbut I still will need a global for 
users who are not in AD.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 28 March 2012 11:16 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

Steven Jones wrote:
 Section 7.4.2 on password sync calls for a download of a
 PassSync.msi...I cannot locate thisso your doc needs updating I think.

 For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
 cn=etc, then the dc= usual bits

 I assume the two cn='s are standard?

It isn't incorrect, if that is what you are asking. cn is a multi-valued
attribute.

 number 4 point 4 ou=People,dc=example,dc=com is a standard?

It is merely an example. I think the default location for AD users is
ou=Users.

 So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

You'd want to check with your AD administrator(s).

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-27 Thread Dmitri Pal
On 03/27/2012 06:24 PM, Steven Jones wrote:
 Hi,

 We want to do a one way password sync from AD to IPA for staff but not 
 students as they are a different AD domain, 

 can we do a one way sync?

Yes

 Oh wait, also while I can only do one winsync to one AD domain, can I do a 
 password sync from 2 ADs to one IPA domain?

No. One Domain.
IPA can sync only from one AD domain. And it can't sync users back (DS can).

 7.4.3 talks about every password change wanting a reset.

Yes because you need to capture passwords and create hashes in LDAP for
that passwords need to be reset and passsync needs to be put on the AD
to capture the changes.
This is ugly this is why we spending so much time and effort on building
trusts so that IPA can just accept AD tickets without any sync.

 So it there a way to disable this for all or some groups of users?  

 I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc

 could be,

  uid=*,cn=staff,cn=accounts,dc=etc..

I will leave to Rich to explain this

 ?

 Since Im setting the password complexity in AD and Psync I assume that I 
 simply do not want any policy for most usersbut I still will need a 
 global for users who are not in AD.

Correct
 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rob Crittenden [rcrit...@redhat.com]
 Sent: Wednesday, 28 March 2012 11:16 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] passwd sync

 Steven Jones wrote:
 Section 7.4.2 on password sync calls for a download of a
 PassSync.msi...I cannot locate thisso your doc needs updating I think.

 For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
 cn=etc, then the dc= usual bits

 I assume the two cn='s are standard?
 It isn't incorrect, if that is what you are asking. cn is a multi-valued
 attribute.

 number 4 point 4 ou=People,dc=example,dc=com is a standard?
 It is merely an example. I think the default location for AD users is
 ou=Users.

 So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz
 You'd want to check with your AD administrator(s).

 rob

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-27 Thread Rich Megginson

On 03/27/2012 05:01 PM, Dmitri Pal wrote:

On 03/27/2012 06:24 PM, Steven Jones wrote:

Hi,

We want to do a one way password sync from AD to IPA for staff but not students 
as they are a different AD domain,

can we do a one way sync?

Yes
one way sync for everything or one way sync for everything except 
student passwords?  the former is easy, the latter is not possible afaik



Oh wait, also while I can only do one winsync to one AD domain, can I do a 
password sync from 2 ADs to one IPA domain?

No. One Domain.
IPA can sync only from one AD domain. And it can't sync users back (DS can).
ipa winsync cannot add users added to IPA to AD - you'll have to add 
those manually to AD, then they will be in sync for modify operations.



7.4.3 talks about every password change wanting a reset.

Yes because you need to capture passwords and create hashes in LDAP for
that passwords need to be reset and passsync needs to be put on the AD
to capture the changes.
This is ugly this is why we spending so much time and effort on building
trusts so that IPA can just accept AD tickets without any sync.

+1



So it there a way to disable this for all or some groups of users?

I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc

could be,

  uid=*,cn=staff,cn=accounts,dc=etc..

I will leave to Rich to explain this

It cannot be a wildcard:
if (strcasecmp(krbcfg-passsync_mgrs[i], bindDN) == 0) {
pwdata.changetype = IPA_CHANGETYPE_DSMGR;
break;
}
but it is multivalued.


What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs 
is what you want for that, unless I'm mistaken.




?

Since Im setting the password complexity in AD and Psync I assume that I simply 
do not want any policy for most usersbut I still will need a global for 
users who are not in AD.

Correct

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 28 March 2012 11:16 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

Steven Jones wrote:

Section 7.4.2 on password sync calls for a download of a
PassSync.msi...I cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
cn=etc, then the dc= usual bits

I assume the two cn='s are standard?

It isn't incorrect, if that is what you are asking. cn is a multi-valued
attribute.


number 4 point 4 ou=People,dc=example,dc=com is a standard?

It is merely an example. I think the default location for AD users is
ou=Users.


So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

You'd want to check with your AD administrator(s).

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-27 Thread Steven Jones
Hi

Until we collapse the domains into one we will have a one way sync for staff 
only...  I assume because a student does not exist if staff then there will be 
no syncthey will simply have a linux/IPA password.

I dont need anything to go from IPA to AD, its all AD to IPA or manually 
created in IPA which stays there.

What exactly are you trying to do?  Defeat password sync for   -  Turn off 
password policy for everyone. Policy will be controlled by AD or Psync..so the 
password should come through from AD via passsync with the complexity we 
want..

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 28 March 2012 1:54 p.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

On 03/27/2012 05:01 PM, Dmitri Pal wrote:
 On 03/27/2012 06:24 PM, Steven Jones wrote:
 Hi,

 We want to do a one way password sync from AD to IPA for staff but not 
 students as they are a different AD domain,

 can we do a one way sync?
 Yes
one way sync for everything or one way sync for everything except
student passwords?  the former is easy, the latter is not possible afaik

 Oh wait, also while I can only do one winsync to one AD domain, can I do a 
 password sync from 2 ADs to one IPA domain?
 No. One Domain.
 IPA can sync only from one AD domain. And it can't sync users back (DS can).
ipa winsync cannot add users added to IPA to AD - you'll have to add
those manually to AD, then they will be in sync for modify operations.

 7.4.3 talks about every password change wanting a reset.
 Yes because you need to capture passwords and create hashes in LDAP for
 that passwords need to be reset and passsync needs to be put on the AD
 to capture the changes.
 This is ugly this is why we spending so much time and effort on building
 trusts so that IPA can just accept AD tickets without any sync.
+1

 So it there a way to disable this for all or some groups of users?

 I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc

 could be,

   uid=*,cn=staff,cn=accounts,dc=etc..
 I will leave to Rich to explain this
It cannot be a wildcard:
 if (strcasecmp(krbcfg-passsync_mgrs[i], bindDN) == 0) {
 pwdata.changetype = IPA_CHANGETYPE_DSMGR;
 break;
 }
but it is multivalued.


What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs 
is what you want for that, unless I'm mistaken.


 ?

 Since Im setting the password complexity in AD and Psync I assume that I 
 simply do not want any policy for most usersbut I still will need a 
 global for users who are not in AD.
 Correct
 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rob Crittenden [rcrit...@redhat.com]
 Sent: Wednesday, 28 March 2012 11:16 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] passwd sync

 Steven Jones wrote:
 Section 7.4.2 on password sync calls for a download of a
 PassSync.msi...I cannot locate thisso your doc needs updating I think.

 For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
 cn=etc, then the dc= usual bits

 I assume the two cn='s are standard?
 It isn't incorrect, if that is what you are asking. cn is a multi-valued
 attribute.

 number 4 point 4 ou=People,dc=example,dc=com is a standard?
 It is merely an example. I think the default location for AD users is
 ou=Users.

 So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz
 You'd want to check with your AD administrator(s).

 rob

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-27 Thread Rich Megginson

On 03/27/2012 07:36 PM, Steven Jones wrote:

Hi

Until we collapse the domains into one we will have a one way sync for staff 
only...  I assume because a student does not exist if staff then there will be 
no syncthey will simply have a linux/IPA password.

I dont need anything to go from IPA to AD, its all AD to IPA or manually 
created in IPA which stays there.

ok - then you can just use the oneWaySync feature of 389.


What exactly are you trying to do?  Defeat password sync for   -  Turn off 
password policy for everyone. Policy will be controlled by AD or Psync..so the password 
should come through from AD via passsync with the complexity we want..

Not sure how you do that with IPA


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 28 March 2012 1:54 p.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

On 03/27/2012 05:01 PM, Dmitri Pal wrote:

On 03/27/2012 06:24 PM, Steven Jones wrote:

Hi,

We want to do a one way password sync from AD to IPA for staff but not students 
as they are a different AD domain,

can we do a one way sync?

Yes

one way sync for everything or one way sync for everything except
student passwords?  the former is easy, the latter is not possible afaik

Oh wait, also while I can only do one winsync to one AD domain, can I do a 
password sync from 2 ADs to one IPA domain?

No. One Domain.
IPA can sync only from one AD domain. And it can't sync users back (DS can).

ipa winsync cannot add users added to IPA to AD - you'll have to add
those manually to AD, then they will be in sync for modify operations.

7.4.3 talks about every password change wanting a reset.

Yes because you need to capture passwords and create hashes in LDAP for
that passwords need to be reset and passsync needs to be put on the AD
to capture the changes.
This is ugly this is why we spending so much time and effort on building
trusts so that IPA can just accept AD tickets without any sync.

+1

So it there a way to disable this for all or some groups of users?

I assume passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=etc

could be,

   uid=*,cn=staff,cn=accounts,dc=etc..

I will leave to Rich to explain this

It cannot be a wildcard:
  if (strcasecmp(krbcfg-passsync_mgrs[i], bindDN) == 0) {
  pwdata.changetype = IPA_CHANGETYPE_DSMGR;
  break;
  }
but it is multivalued.


What exactly are you trying to do?  Defeat password sync for

uid=*,cn=staff,cn=accounts,dc=etc ?  Because I don't think passSyncManagersDNs 
is what you want for that, unless I'm mistaken.


?

Since Im setting the password complexity in AD and Psync I assume that I simply 
do not want any policy for most usersbut I still will need a global for 
users who are not in AD.

Correct

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 28 March 2012 11:16 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwd sync

Steven Jones wrote:

Section 7.4.2 on password sync calls for a download of a
PassSync.msi...I cannot locate thisso your doc needs updating I think.

For the 7.4.2 number 4 point 2 I see uid=passync cn=systemaccounts
cn=etc, then the dc= usual bits

I assume the two cn='s are standard?

It isn't incorrect, if that is what you are asking. cn is a multi-valued
attribute.


number 4 point 4 ou=People,dc=example,dc=com is a standard?

It is merely an example. I think the default location for AD users is
ou=Users.


So in my case it would simply be ou=People,dc=ods,dc=vuw,dc=ac,dc=nz

You'd want to check with your AD administrator(s).

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] passwd sync

2012-03-27 Thread Simo Sorce
On Tue, 2012-03-27 at 19:40 -0600, Rich Megginson wrote:
 On 03/27/2012 07:36 PM, Steven Jones wrote:
  Hi
 
  Until we collapse the domains into one we will have a one way sync for 
  staff only...  I assume because a student does not exist if staff then 
  there will be no syncthey will simply have a linux/IPA password.
 
  I dont need anything to go from IPA to AD, its all AD to IPA or manually 
  created in IPA which stays there.
 ok - then you can just use the oneWaySync feature of 389.
 
  What exactly are you trying to do?  Defeat password sync for   -  Turn 
  off password policy for everyone. Policy will be controlled by AD or 
  Psync..so the password should come through from AD via passsync with the 
  complexity we want..
 Not sure how you do that with IPA

passsync uses a user to save passwords in IPA, all you need to do is to
make sure that user is one of the passsync managers. When you do that
password policy is not enforced at all and the password is taken in as
is w/o any check.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users