[Freeipa-users] Re: Syncing AD to IPA users

Hi, On Thu, Jun 9, 2022 at 8:58 AM Ronald Wimmer via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org&gt; wrote: > On 25.04.22 18:21, Ronald Wimmer via FreeIPA-users wrote: >> We managed to use IPA users as AIX users in our environment. >> Preferrably, we would like to use users from an AD group directly what >> does not seem to be possible without SSSD for AIX, right? >> >> As an alternative it would be great to synchronize users in a specific >> AD group to IPA users. I already have a draft of a python script in mind >> that could do the job. >> >> Is there any way go synchronize a user's password from AD? > > After doing some research I found out that there are some products on > the market which are capable of doing that. So, what's the point here? > What is needed to make that possible? > > Could someone with a deeper AD understanding shade a little light into > this matter? > > IdM also provides a synchronization feature (between AD and IdM, please refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... and more specifically https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... ). The synchronization of passwords requires a service to be installed and configured on AD domain controllers. It cannot sync already existing passwords (because they are stored in a hashed form) but is able to capture password addition/changes and synchronize the new password to IdM. Please note however that the doc states the following: In some integration scenarios, the user synchronization may be the only available option, but in general, use of the synchronization approach is discouraged in favor of the cross-realm trust-based integration