Reading section 7.2...this looks like a bi-directional agreement.....I want to 
do a uni-directional agreement, so I want a one way password sync out of AD 
into IPA and when a new user is created that user get created in IPA and get an 

So can I set lower permissions? I would assume so....

"7.2. Setting up Active Directory for Synchronization
Synchronizing user accounts alone is enabled within IPA, so all that is 
necessary is to set up a sync
agreement (Section 7.3.2, “Creating Synchronization Agreements”). On the 
Windows server, it is
necessary to create the user that the IPA server will use to connect to the 
Active Directory domain.
The process for creating a user in Active Directory is covered in the Windows 
server documentation at
http://technet.microsoft.com/en-us/library/cc732336.aspx. The new user account 
must have the proper
• Grant the sync user account Replicating directory changes rights to the 
synchronized Active
Directory subtree. Replicator rights are required for the sync user to perform 
Replicator rights are described in http://support.microsoft.com/kb/303972.
• Add the sync user as a member of the Account Operator and Enterprise 
Read-Only Domain
controller groups. It is not necessary for the user to belong to the full 
Domain Admin group."


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

Freeipa-users mailing list

Reply via email to