Univention Bugzilla – Bug 45658
Decouple user password sync mode from user sync mode
Last modified: 2021-06-03 15:49:08 CEST
It should be possible to have different sync_modes (sync directions) for user objects and user password hashes. A scenario that is often desired (especially in UCS@school environments) is: * UCS is the leading directory service * AD-Connector writes to an MS AD (sync_mode=write) * But users should be able to also change their password in the MS AD environment (which then needs to be synced back) Right now the user password sync always has the same sync_mode as the user objects. But in the example above we want: * user sync_mode: write * user password sync_mode: sync
*** Bug 22653 has been marked as a duplicate of this bug. ***
This should include scenarios where users are sync and passwords only read or write. In principal this is already possible by running two instances of the AD Connector (which is supported) and configure the sync modes individually. This is not well documented and has some limitations (pure password sync is not easy to achieve).