'=?utf-8?q?=5B389-users=5D?= Re: sync AD account state'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-directory-users
Subject:    =?utf-8?q?=5B389-users=5D?= Re: sync AD account state
From:       Mark Reynolds <mreynolds () redhat ! com>
Date:       2019-09-05 13:50:42
Message-ID: 408ad18f-54d9-ecd8-9941-29c2c503ca19 () redhat ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On 9/5/19 5:16 AM, DaV wrote:
> Hi guys,
> How can I sync account state from Windows AD to 389ds
> 1. account disabled
> 2. account lockout
> 3. password expired
> 
> I want to sync these attributes from Windows AD to 389ds, would you 
> please tell me? Thanks in advance.

Well according to the docs password policy is managed locally by each 
server.   There is no synchronization of password policy state:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_the_password_policy-synchronizing_passwords


What it says to do is try as best you can to configure both AD's and 
389's password policies to be the same: password expiration time, etc.   
Then they should be enforced correctly on each system.

For account enabled/disabled, it looks like if you just enable the posix 
winsync plugin it will sync some of the account disabled/enabled state 
by default:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/posix-sync


I've never set this up, so I don't know if it will work, but give it a try.

Mark




> 
> Sincerely,
> --
> DaV
> 
> 
> 
> 
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: \
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: \
> https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: \
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

-- 

389 Directory Server Development Team


[Attachment #5 (text/html)]

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 9/5/19 5:16 AM, DaV wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:fe94b4ac-9872-4a36-ae03-03a9dc0fdd7b@www.fastmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <title></title>
      <style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
      <div style="font-family:helvetica, arial, sans-serif;color:rgb(0,
        0, 255);">Hi guys,<br>
      </div>
      <div style="font-family:helvetica, arial,
        sans-serif;color:#0000ff;">How can I sync account state from
        Windows AD to 389ds<br>
      </div>
      <div style="font-family:helvetica, arial,
        sans-serif;color:#0000ff;">1. account disabled<br>
      </div>
      <div style="font-family:helvetica, arial,
        sans-serif;color:#0000ff;">2. account lockout<br>
      </div>
      <div style="font-family:helvetica, arial,
        sans-serif;color:#0000ff;">3. password expired<br>
      </div>
      <div style="font-family:helvetica, arial,
        sans-serif;color:#0000ff;"><br>
      </div>
      <div style="font-family:helvetica, arial,
        sans-serif;color:#0000ff;">I want to sync these attributes from
        Windows AD to 389ds, would you please tell me? Thanks in
        advance.</div>
    </blockquote>
    <p>Well according to the docs password policy is managed locally by
      each server.   There is no synchronization of password policy
      state:</p>
    <p>      
<a class="moz-txt-link-freetext" \
href="https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/a \
dministration_guide/managing_the_password_policy-synchronizing_passwords">https://acce \
ss.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_the_password_policy-synchronizing_passwords</a></p>
  <p>What it says to do is try as best you can to configure both AD's
      and 389's password policies to be the same: password expiration
      time, etc.   Then they should be enforced correctly on each system.<br>
    </p>
    <p>For account enabled/disabled, it looks like if you just enable
      the posix winsync plugin it will sync some of the account
      disabled/enabled state by default:</p>
    <p>      
<a class="moz-txt-link-freetext" \
href="https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/a \
dministration_guide/posix-sync">https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/posix-sync</a></p>
  <p>I've never set this up, so I don't know if it will work, but give
      it a try.</p>
    <p>Mark<br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <blockquote type="cite"
      cite="mid:fe94b4ac-9872-4a36-ae03-03a9dc0fdd7b@www.fastmail.com">
      <div style="font-family:helvetica, arial, sans-serif;color:rgb(0,
        0, 255);"><br>
      </div>
      <div id="sig74300224">
        <div class="signature"><span style="background-color:rgb(255,
            255, 255);" class="highlight"><span style="color:rgb(51, 51,
              51);" class="colour"><span style="font-family:Verdana,
                Arial, Helvetica, sans-serif;" class="font"><span
                  style="font-size:11px;" \
class="size">Sincerely,</span></span></span></span><br>  </div>
        <div class="signature">--<br>
        </div>
        <div class="signature">DaV</div>
        <div class="signature">  <br>
        </div>
        <div class="signature"><br>
        </div>
      </div>
      <div style="font-family:helvetica, arial,
        sans-serif;color:#0000ff;"><br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" \
wrap="">_______________________________________________ 389-users mailing list -- <a \
class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a> \
To unsubscribe send an email to <a class="moz-txt-link-abbreviated" \
href="mailto:389-users-leave@lists.fedoraproject.org">389-users-leave@lists.fedoraproject.org</a>
 Fedora Code of Conduct: <a class="moz-txt-link-freetext" \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a>
 List Guidelines: <a class="moz-txt-link-freetext" \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines">https://fedoraproject.org/wiki/Mailing_list_guidelines</a>
 List Archives: <a class="moz-txt-link-freetext" \
href="https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org" \
>https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org</a> \
> </pre>
    </blockquote>
    <pre class="moz-signature" cols="72">-- 

389 Directory Server Development Team</pre>
  </body>
</html>


[Attachment #6 (text/plain)]

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic