Hi,
On Thu, Jun 9, 2022 at 8:58 AM Ronald Wimmer via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> On 25.04.22 18:21, Ronald Wimmer via FreeIPA-users wrote:
>> We managed to use IPA users as AIX users in our environment.
>> Preferrably, we would like to use users from an AD group directly what
>> does not seem to be possible without SSSD for AIX, right?
>>
>> As an alternative it would be great to synchronize users in a specific
>> AD group to IPA users. I already have a draft of a python script in mind
>> that could do the job.
>>
>> Is there any way go synchronize a user's password from AD?
>
> After doing some research I found out that there are some products on
> the market which are capable of doing that. So, what's the point here?
> What is needed to make that possible?
>
> Could someone with a deeper AD understanding shade a little light into
> this matter?
>
>
IdM also provides a synchronization feature (between AD and IdM, please
refer to
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
and more specifically
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
).
The synchronization of passwords requires a service to be installed and
configured on AD domain controllers. It cannot sync already existing
passwords (because they are stored in a hashed form) but is able to capture
password addition/changes and synchronize the new password to IdM.
Please note however that the doc states the following:
In some integration scenarios, the user synchronization may be the only
available option, but in general, use of the synchronization approach is
discouraged in favor of the cross-realm trust-based integration
Thanks for this info. It is the answer I was hoping for!
Cheers,
Ronald