Rich Megginson wrote:
On 02/10/2012 11:41 AM, Dmitri Pal wrote:
On 02/10/2012 10:28 AM, Rich Megginson wrote:
On 02/10/2012 04:01 AM, David Juran wrote:
Hello
I wonder if it's somehow possible to sync AD-users more selectively
then
just by sub-tree. In my case, I'm dealing with a very large
organisation
where the users that are to be synced to IPA aren't grouped by a
subtree
in AD but rather spread out. Can this be handled somehow?
I don't think so, but can you provide some examples?
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Rich, can one create two different winsync agreements that use different
sub trees on the AD side?
Yes, if they also use two different sub trees on the IPA side.
Otherwise, you have two different winsync agreements covering the same
ipa subtree - I have no idea what would happen.
If there anything that would prevent it to
work? May be it should be done from 2 IPA replicas?
You might still have problems with that scenario, just delayed. That is,
the ipa subtree is the same on both replicas, so you still have the same
problem, just delayed by the speed of replication.
The only way to know for sure would be to get some concrete examples,
then try it out.
I'll just add that we don't currently support multiple winsync
agreements against the same AD server. I opened a ticket on this yesterday.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
