Kambiz Aghaiepour wrote:
I've established a windows sync agreement on my IPA master server using:ipa-replica-manage add --winsync --win-subtree='cn=users,dc=mcnc,dc=org' --binddn cn=someusergoeshere,cn=users,dc=mcnc,dc=org --bindpw nottherealpassword --cacert /root/my.cert --passsync=someotherpass myadserver.mcnc.org -v Everything seems fine so far, but I have a few questions about the setup.
This should answer most of the questions below http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html The main differences are that in IPA * IPA will only sync user data - not groups* IPA will not send new users to AD - the users must also be added to AD, at which point changes to that user will be sync'd between IPA and AD ** The sync key is the uid, which must be the same as the samAccountName on the AD side
* IPA will sync new users added to AD - IPA will change the DN and schema** IPA will flatten the DN, removing any ou RDNs, and (optionally) store these in the ou attribute in the user entry * IPA will be able to force all users to be in sync with the AD counterpart (IPA uid == AD samAccountName)
** forceSync option
1) it appear that users on the AD side that did not exist already on IPA get created upon the initial full sync. Is there anyway to turn off this behavior? 2) Also, new users that are created in AD are created in IPA. Can this behavior be turned off (I think this is the same setting as #1). 3) Will new users that are created in IPA be created in AD?
No - see above
4) When a user previously created in AD be automatically deleted from IPA when the user is deleted from AD?
5) Will the user be deleted from AD if the users entry is deleted in IPA? 6) what does ntUserDeleteAccount: true do? Thanks Kambiz
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users