Kambiz Aghaiepour wrote:
I've established a windows sync agreement on my IPA master server using:

ipa-replica-manage add --winsync --win-subtree='cn=users,dc=mcnc,dc=org'
--binddn cn=someusergoeshere,cn=users,dc=mcnc,dc=org --bindpw
nottherealpassword --cacert /root/my.cert --passsync=someotherpass
myadserver.mcnc.org -v

Everything seems fine so far, but I have a few questions about the setup.
This should answer most of the questions below

The main differences are that in IPA
* IPA will only sync user data - not groups
* IPA will not send new users to AD - the users must also be added to AD, at which point changes to that user will be sync'd between IPA and AD ** The sync key is the uid, which must be the same as the samAccountName on the AD side
* IPA will sync new users added to AD - IPA will change the DN and schema
** IPA will flatten the DN, removing any ou RDNs, and (optionally) store these in the ou attribute in the user entry * IPA will be able to force all users to be in sync with the AD counterpart (IPA uid == AD samAccountName)
** forceSync option

1) it appear that users on the AD side that did not exist already on IPA
get created upon the initial full sync.  Is there anyway to turn off
this behavior?

2) Also, new users that are created in AD are created in IPA. Can this
behavior be turned off (I think this is the same setting as #1).

3) Will new users that are created in IPA be created in AD?
No - see above
4) When a user previously created in AD be automatically deleted from
IPA when the user is deleted from AD?
5) Will the user be deleted from AD if the users entry is deleted in IPA?

6) what does ntUserDeleteAccount: true   do?


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-users mailing list

Reply via email to