They are under cn=Users,dc=ipa,dc=local'  but this path seems to be the one 
used by ipa synchronization:

ldapsearch -xLLL -D "cn=directory manager" -w ####  -p 389 -h -b cn=config objectclass=nsdswindowsreplicationagreement dn 
nsds7WindowsReplicaSubtree         dn: 
 Cdc\3Dnet,cn=mapping tree,cn=config
nsds7WindowsReplicaSubtree: cn=Users,dc=ipa,dc=local

The target Active Directory is not managed by another team and trust 
relationship cannot be established, due to their policy.

-----Message d'origine-----
De : Rob Crittenden [] 
Envoyé : mercredi 21 juin 2017 17:19
À : FreeIPA users list
Objet : Re: [Freeipa-users] Users not imported with Active Directory 

laurent2.perrin--- via FreeIPA-users wrote:
> Hi,
> I'm trying to setup a FreeIPA and Active Directory synchronisation 
> following Red Hat 
> documentation(
> The ipa-replica-manage command returns a success but no user are 
> imported in FreeIPA:
> ipa-replica-manage connect --winsync
> --binddn='cn=ipasync,cn=Users,dc=ipa,dc=local'  --bindpw='####'
> --passsync #### --cacert ipa-a-v
> Directory Manager password:
> Added CA certificate to certificate 
> database for
> ipa: INFO: AD Suffix is: DC=ipa,DC=local
> The user for the Windows PassSync service is 
> uid=passsync,cn=sysaccounts,cn=etc,dc=ipa,dc=cloud,dc=620nm,dc=net
> Windows PassSync system account exists, not resetting password
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: Error (0) 
> Replica acquired successfully: Incremental update started: start: 0: 
> end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Update in progress, 2 seconds elapsed
> Update succeeded
> The ipasync user has been created with the rights as described in the 
> documentation.
> In the freeipa logs, I didn’t find any error message that could 
> explain that user are not imported.

Are your AD users under DC=ipa,DC=local?

Have you considered using AD trust instead of sync?



Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.

This message and its attachments may contain confidential or privileged 
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete 
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.
Thank you.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to