> The is is treated as the ultimate source so adds should go only from AD
> to IPA but you need the modify to work both ways otherwise your account
> state will get out of sync.
> Whatever is required by docs is the minimal privilege you need to have
> to sync users.
>
> However did you consider trust?
> It us a two way trust but it acts as a one way trust.
I know, but my customer don't want a two-way trust, whatever it means:
- it fear some security concern with a two-way.
- if he migrates its AD into new version or new topology, he fears to encounter
some migration path issue
So it has been decided to go the winsync way.
btw, I manage to make my one way replication working, with less privileges,
following
http://directory.fedoraproject.org/docs/389ds/howto/howto-windowssync.html#creating-ad-user-with-replication-rights
Thank you
Nicolas
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project