I'm trying to set up the AD-FreeIPA sync agreement and I'm always getting this error:

# ipa-replica-manage connect --winsync --binddn cn="IPA Sync",cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v

Added CA certificate /root/dc1.cer to certificate database for ipa1.example.com
ipa: INFO: AD Suffix is: DC=win,DC=example,DC=com
*Insufficient access*

Where does this insufficient access come from?
Can you please provide some guidance with this issue?

IPA Sync user on the AD side has Domain Admins, Enterprise Admins, Schema Admins group memberships.

I'm able to query the AD using ldapsearch and binding with the credentials and have an also an admin kerberos ticket.

On the other hand the documentation in the freeipa enterprise guide is rather succint than adequate as it doesn't provide at least one working example.

I've read all the corresponding documentation and it's still unclear what password do I have to specify with the --passsync to ipa-replica-manage?

"the password for the Windows PassSync user, and a required argument to |ipa-replica-manage| when creating winsync agreements." I can't see any documentation mentioning that a passync user has to (or being) created in the AD. The bindpw already gives read/write permission to the AD tree, so I'm wondering why is this --passync required?

It's rather annoying to set up the passync on the Windows side.
The only documentation for this (what FreeIPA refers to) I can see is:

However, "cn=sync,cn=config" on the screenshot for the user name is misleading as full dn was working only for us. I assume instead of ou=People,dc=example,dc=com cn=user,cn=accounts,dc=example,dc=com has to be substituted (or it has to be cn=compat?)

Thanks for any help in advance,

Freeipa-users mailing list

Reply via email to