[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-directory-users
Subject: =?utf-8?q?=5B389-users=5D?= Re: sync AD account state
From: Mark Reynolds <mreynolds () redhat ! com>
Date: 2019-09-05 13:50:42
Message-ID: 408ad18f-54d9-ecd8-9941-29c2c503ca19 () redhat ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 9/5/19 5:16 AM, DaV wrote:
> Hi guys,
> How can I sync account state from Windows AD to 389ds
> 1. account disabled
> 2. account lockout
> 3. password expired
>
> I want to sync these attributes from Windows AD to 389ds, would you
> please tell me? Thanks in advance.
Well according to the docs password policy is managed locally by each
server. There is no synchronization of password policy state:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_the_password_policy-synchronizing_passwords
What it says to do is try as best you can to configure both AD's and
389's password policies to be the same: password expiration time, etc.
Then they should be enforced correctly on each system.
For account enabled/disabled, it looks like if you just enable the posix
winsync plugin it will sync some of the account disabled/enabled state
by default:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/posix-sync
I've never set this up, so I don't know if it will work, but give it a try.
Mark
>
> Sincerely,
> --
> DaV
>
>
>
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: \
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: \
> https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: \
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
--
389 Directory Server Development Team
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<div class="moz-cite-prefix">On 9/5/19 5:16 AM, DaV wrote:<br>
</div>
<blockquote type="cite"
cite="mid:fe94b4ac-9872-4a36-ae03-03a9dc0fdd7b@www.fastmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
<div style="font-family:helvetica, arial, sans-serif;color:rgb(0,
0, 255);">Hi guys,<br>
</div>
<div style="font-family:helvetica, arial,
sans-serif;color:#0000ff;">How can I sync account state from
Windows AD to 389ds<br>
</div>
<div style="font-family:helvetica, arial,
sans-serif;color:#0000ff;">1. account disabled<br>
</div>
<div style="font-family:helvetica, arial,
sans-serif;color:#0000ff;">2. account lockout<br>
</div>
<div style="font-family:helvetica, arial,
sans-serif;color:#0000ff;">3. password expired<br>
</div>
<div style="font-family:helvetica, arial,
sans-serif;color:#0000ff;"><br>
</div>
<div style="font-family:helvetica, arial,
sans-serif;color:#0000ff;">I want to sync these attributes from
Windows AD to 389ds, would you please tell me? Thanks in
advance.</div>
</blockquote>
<p>Well according to the docs password policy is managed locally by
each server. There is no synchronization of password policy
state:</p>
<p>
<a class="moz-txt-link-freetext" \
href="https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/a \
dministration_guide/managing_the_password_policy-synchronizing_passwords">https://acce \
ss.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_the_password_policy-synchronizing_passwords</a></p>
<p>What it says to do is try as best you can to configure both AD's
and 389's password policies to be the same: password expiration
time, etc. Then they should be enforced correctly on each system.<br>
</p>
<p>For account enabled/disabled, it looks like if you just enable
the posix winsync plugin it will sync some of the account
disabled/enabled state by default:</p>
<p>
<a class="moz-txt-link-freetext" \
href="https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/a \
dministration_guide/posix-sync">https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/posix-sync</a></p>
<p>I've never set this up, so I don't know if it will work, but give
it a try.</p>
<p>Mark<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:fe94b4ac-9872-4a36-ae03-03a9dc0fdd7b@www.fastmail.com">
<div style="font-family:helvetica, arial, sans-serif;color:rgb(0,
0, 255);"><br>
</div>
<div id="sig74300224">
<div class="signature"><span style="background-color:rgb(255,
255, 255);" class="highlight"><span style="color:rgb(51, 51,
51);" class="colour"><span style="font-family:Verdana,
Arial, Helvetica, sans-serif;" class="font"><span
style="font-size:11px;" \
class="size">Sincerely,</span></span></span></span><br> </div>
<div class="signature">--<br>
</div>
<div class="signature">DaV</div>
<div class="signature"> <br>
</div>
<div class="signature"><br>
</div>
</div>
<div style="font-family:helvetica, arial,
sans-serif;color:#0000ff;"><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" \
wrap="">_______________________________________________ 389-users mailing list -- <a \
class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a> \
To unsubscribe send an email to <a class="moz-txt-link-abbreviated" \
href="mailto:389-users-leave@lists.fedoraproject.org">389-users-leave@lists.fedoraproject.org</a>
Fedora Code of Conduct: <a class="moz-txt-link-freetext" \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a>
List Guidelines: <a class="moz-txt-link-freetext" \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines">https://fedoraproject.org/wiki/Mailing_list_guidelines</a>
List Archives: <a class="moz-txt-link-freetext" \
href="https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org" \
>https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org</a> \
> </pre>
</blockquote>
<pre class="moz-signature" cols="72">--
389 Directory Server Development Team</pre>
</body>
</html>
[Attachment #6 (text/plain)]
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic