Bug 45658 - Decouple user password sync mode from user sync mode
Decouple user password sync mode from user sync mode
Status: NEW
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.4
Other other
: P5 enhancement with 3 votes (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
: 22653 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-06 15:56 CET by Michael Grandjean
Modified: 2021-06-03 15:49 CEST (History)
8 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2017-11-06 15:56:26 CET
It should be possible to have different sync_modes (sync directions) for user objects and user password hashes.

A scenario that is often desired (especially in UCS@school environments) is:

* UCS is the leading directory service
* AD-Connector writes to an MS AD (sync_mode=write)
* But users should be able to also change their password in the MS AD environment (which then needs to be synced back)

Right now the user password sync always has the same sync_mode as the user objects. But in the example above we want:

* user sync_mode: write
* user password sync_mode: sync
Comment 1 Ingo Steuwer univentionstaff 2020-07-03 20:26:51 CEST
*** Bug 22653 has been marked as a duplicate of this bug. ***
Comment 2 Ingo Steuwer univentionstaff 2020-07-03 20:28:54 CEST
This should include scenarios where users are sync and passwords only read or write.

In principal this is already possible by running two instances of the AD Connector (which is supported) and configure the sync modes individually. This is not well documented and has some limitations (pure password sync is not easy to achieve).