On 09/17/2012 03:34 PM, Steven Jones wrote:
Hi,
Im confused as section 8.4.5 page 182 first para....
of the Red Hat admin guide for IPA says this (its
bi-directional).....so that section needs updating?
In IPA, adding users is uni-directional, from AD to IPA. However, once
the users are in sync, updates are bi-directional. This includes
account disable, which syncs both directions.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
------------------------------------------------------------------------
*From:* freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
[d...@redhat.com]
*Sent:* Tuesday, 18 September 2012 9:22 a.m.
*To:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreements, mostly one way.
On 09/17/2012 04:55 PM, Steven Jones wrote:
In section 8.4.5 it talks about making an agreement one way...which
is mostly what I want, so everything incl password changes from AD to
IPA. except I want account disabled / enabled to flow both ways.
So if I do a
ldapmodify -x -D "cn=directory manager" -w password -p 389 -h
ipaserver.example.com
dn: cn=ipa-winsync,cn=plugins,cn=config
changetype: modify
add: oneWaySync
oneWaySync: fromWindows
Does this effect bi-directional disabling? I assume it does.......
So then I have to do a,
ldapmodify -x -D "cn=directory manager" -w password -p 389 -h
ipaserver.example.com
dn: cn=ipa-winsync,cn=plugins,cn=config
changetype: modify
ipaWinSyncAcctDisable: both
is that syntax right?
Winsyc plugin used in IPA comes originally from DS. In the context of
IPA it can be only one way so changing this configuration is not
something we expect or would work in IPA. In the DS context you can
have two way sync of users and groups.
AFAIK (Rich please correct me) we do not replicate the
enabled/disabled status from IPA to AD.
Conceptually we think of the AD as authoritative source for the
information. Allowing user to be disabled by IPA admin and then
replicate this status back violates this model and would sound really
dangerous for AD side. Are you sure that even if that would have been
allowed your AD admins would actually permit you to do that?
Anyways so far it is one of the limitations of the current product.
You can definitely explain the use case in a bit more details and file
an RFE. If the use case is compelling we will consider it for the
later release.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users