On Wed, May 15, 2013 at 9:02 AM, James A <ja...@atia.se> wrote: > > > > On Tue, May 14, 2013 at 5:07 PM, Rich Megginson <rmegg...@redhat.com>wrote: > >> On 05/14/2013 07:57 AM, Rob Crittenden wrote: >> >>> James A wrote: >>> >>>> Hello all, >>>> >>>> I have been playing with trying to set up synchronization between >>>> windows AD --> IPA following the instructions at >>>> https://access.redhat.com/**site/documentation/en-US/Red_** >>>> Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**index.html<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html> >>>> >>>> A few questions arise; >>>> >>>> 1.) The documentation (specifically on >>>> https://access.redhat.com/**site/documentation/en-US/Red_** >>>> Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/** >>>> managing-sync-agmt.html<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html>), >>>> >>>> (under table 9.2) talks about options to the "ipa-replica-manage >>>> connect" command. Among others, --bindpw and --passsync. With --binddn >>>> we specify the "full user DN of the synchronization identity" (and it's >>>> password with --bindpw ... but I fail to understand which users password >>>> should be used for "--passsync"?? Is it the same user? >>>> >>> >>> No, a special IPA system account user is needed so the PassSync service >>> running in AD can bind to the IPA LDAP server to make password changes. >>> This entry needs to be created in IPA regardless of whether you are using >>> the PassSync service or not. >>> >>> So binddn/bindpw is for the AD user we use to bind from IPA to AD, and >>> passsync is the password set on the IPA passsync account. >>> >>> 2.) The documentation says that the "synchronization identity" (see also >>>> above) must exist in the AD domain and "must have replicator, read, >>>> search and write permissions on the AD subtree. What I am trying to do >>>> is create a one way sync from AD --> IPA and I would really like to >>>> avoid using a user (for synching) that has write permissions (in the >>>> AD). All my tries in setting up synchronization fails unless I add the >>>> synch-user to the group "Administrators". I have tried (and failed) >>>> using "account admins" etc. Any pointers here would be great. Sorry >>>> for my ignorance when it comes to Windows. I am sure I am missing >>>> something obvious. >>>> >>>> 3.) I follow the instructions under "9.4.5" >>>> (https://access.redhat.com/**site/documentation/en-US/Red_** >>>> Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/** >>>> managing-sync-agmt.html#**unidirectional-sync<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync>) >>>> >>>> to setup Uni-directional sync. (only AD --> IPA), and yet, when I go to >>>> remove an account in IPA it gets removed also in the AD. (This I really >>>> want to avoid, thus the need for a read-only user to do the >>>> synchronization - see question 2). >>>> >>> >>> I'm not really sure about #2 or #3. Hopefully one of the 389-ds devs >>> will chime in with some suggestions. >>> >> >> Write access is not required if you are only doing one way sync. >> Here is the information about adding the specific rights to the windows >> sync user >> http://port389.org/wiki/Howto:**WindowsSync#Creating_AD_User_** >> with_Replication_Rights<http://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights> > > > BINGO :) Thank you! Now I am very close! > > The instructions read "In the 'Permissions for Windows Sync' list, make > sure Read is checked under the Allow column". This I don't have (I can't > find this setting where the instructions say it should be).... I do have > "replicate directory changes", "replicating directory changes all", > "replication synchronization" and "monitor active directory replication". > When I set "Replication Synchronization" and "Replicate Directory Changes" > permissions on the user, I can sync new accounts using this useraccount. > > But... > > When I delete a user on the IPA server, then sync again the user doesn't > show up in IPA. > The good news is that the user doesn't get deleted in the AD, but I can't > sync it back to the IPA. > > If I create a new user in the AD it gets synced ok. (to IPA). > > > > I realize some of these are more windows/AD-centric issues, but given that > I use IPA for syncing from the AD I hope maybe someone can shed some (more) > light on this on this maillist.... > > thanks, > > //James. > > >
For what it's worth, I just noticed that if I remove an account on the IPA server, go over to the AD, change an attribute (such as set it to "disabled"), and sync again it syncronizes over no problem. If I remove an account (on IPA) without touching it on the AD, it won't syncronize however. //J > > > > >> >> >> >>> >>> All in all I think the FreeIPA project is amazing and it really gives us >>>> in the Linux community something we haven't had before. If I can iron >>>> out the problems above I am sure it will become a great tool for me and >>>> my client. >>>> >>> >>> Glad you like it! >>> >>> cheers >>> >>> rob >>> >>> ______________________________**_________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >>> >> >> >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users