Hi,

Im confused as section 8.4.5 page 182 first para....

of the Red Hat admin guide for IPA says this (its bi-directional).....so that 
section needs updating?




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Tuesday, 18 September 2012 9:22 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreements, mostly one way.

On 09/17/2012 04:55 PM, Steven Jones wrote:
In section 8.4.5 it talks about making an agreement one way...which is mostly 
what I want, so everything incl password changes from AD to IPA.   except I 
want account disabled / enabled to flow both ways.

So if I do a

ldapmodify -x -D "cn=directory manager" -w password -p 389 -h
ipaserver.example.com
dn: cn=ipa-winsync,cn=plugins,cn=config
changetype: modify
add: oneWaySync
oneWaySync: fromWindows

Does this effect bi-directional disabling? I assume it does.......

So then I have to do a,

ldapmodify -x -D "cn=directory manager" -w password -p 389 -h
ipaserver.example.com
dn: cn=ipa-winsync,cn=plugins,cn=config
changetype: modify
ipaWinSyncAcctDisable: both

is that syntax right?


Winsyc plugin used in IPA comes originally from DS. In the context of IPA it 
can be only one way so changing this configuration is not something we expect 
or would work in IPA. In the DS context you can have two way sync of users and 
groups.

AFAIK (Rich please correct me) we do not replicate the enabled/disabled status 
from IPA to AD.
Conceptually we think of the AD as authoritative source for the information. 
Allowing user to be disabled by IPA admin and then replicate this status back 
violates this model and would sound really dangerous for AD side. Are you sure 
that even if that would have been allowed your AD admins would actually permit 
you to do that?

Anyways so far it is one of the limitations of the current product. You can 
definitely explain the use case in a bit more details and file an RFE. If the 
use case is compelling we will consider it for the later release.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to