On 02/12/2012 04:01 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
On 02/12/2012 03:49 PM, Marco Pizzoli wrote:
Hi guys,
a couple of questions about AD synchronization.

I read in the guide these points:
- A synchronization operation runs every five minutes. --> I read that
it can be triggered on demand, but is it possibile to change the value
of this frequency?

I think it is configurable. You might want to check port389 wiki for
more details.

I seem to recall it is hardcoded and an RFE was opened on it but I can't find it out.

winsync uses a pull model so the only immediate mode may be from IPA to AD.
The attribute is called "winSyncInterval" - by default the value is 300 seconds. See

- Synchronization can only be configured with one Active Directory
domain. Multiple domains are not supported. --> Do they will in a
future version?

No plans as we are working on trusts and trusts would make
synchronization not needed.

Currently only one winsync agreement is allowed on one IPA server to an AD server at a time (there is a ticket to allow multiples https://fedorahosted.org/freeipa/ticket/2358)

It would probably work to have two AD agreements on two separate IPA instances though. We don't care what realm the remote AD server are.

- While modifications are bi-directional (going both from Active
Directory to FreeIPA and from FreeIPA to Active Directory), new
accounts are only uni-directional. New accounts created in Active
Directory are synchronized over to FreeIPA. However, user accounts
created in FreeIPA must also be added in Active Directory before they
will be synchronized.
---> What is the origin of this restriction? I mean, why cannot be
created a user in AD by FreeIPA?

Time and materials mostly - the support cost is origin of this
restriction. It is potentially could be done and DS does this but the
use case for IPA is different and dominated by AD so it does not make
sense to build a solution when in 95 persent the sync would go from AD
to IPA as people already have users there.

And another question, not related to the synchronization:
- In the FreeIPA 389-ds I see used the "DUA Config Profile"
objectClass. To learn what it is I already read RFC#4876. Now I would
like to have a look at a document/draft/etc.. about his using within
FreeIPA. Is it available anywhere? If no, could someone give some

A DUA profile is created and is currently used by Solaris clients that can join using the ldapinit tool. I believe that HP/ux can also use this profile. This entry looks like:

dn: cn=default,ou=profile,dc=example,dc=com
defaultServerList: rawhide.example.com
defaultSearchBase: dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
searchTimeLimit: 15
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
bindTimeLimit: 5
authenticationMethod: none
cn: default


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to