So if I remove the IPA Password Sync user from the Account Operators then
delete a user from IPA it won't replicate to Active Directory.
When I create a user on the Active Directory side it will replicate it to IPA.
So I started testing out the password sync to see if that will work but I am
not having any luck with it (even when our password sync user on the windows
side is added to Account Operators).
I think I know the issue but I am having trouble finding out the back end of
the IPA Directory structure.
In the /var/log/dirsrv/slapd****/errors file the last few lines say the follow.
Ipalockout_preop - [file ipa_lockout.c, line 527] Failed to retrieve entry
"uid=passsyncuser,cn=sysaccounts,cn=etc,dc=ad,dc=ca" : 32
>From looking at that I assume the passsync user I created on the IPA side does
>not live under the sysaccounts CN.
So I guess what I'm looking for is the backend structure of how the users are
Does his entry in the backend of IPA actually look like this;
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Tuesday, January 22, 2013 3:04 PM
To: Rob Crittenden
Cc: Joseph, Matthew (EXP); firstname.lastname@example.org
Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues
On 01/22/2013 11:46 AM, Rob Crittenden wrote:
> Joseph, Matthew (EXP) wrote:
>> I'm trying to configure the oneWaySync option for IPA so only the
>> Windows AD can replicate changes to IPA.
>> When I use the command that I listed below it says it works but when I
>> delete a user form IPA it will then delete the user in Active Directory.
>> Is my command listed below correct? Anyone able to help?
>> Server = rhserver
>> Domain = redhat.ca
>> Password = 12345678
>> Contents of /tmp/unisync;
>> dn: cn=ipa-winsync,cn=plugins,cn=config
>> changetype: modify
>> replace: oneWaySync
>> oneWaySync: From Windows
>> So I enter the following command;
>> *ldapmodify -x -D "dc=redhat,dc=ca" -w 12345678 -h rhserver.redhat.ca -f
> There should be no space in oneWaySync, it should be fromWindows.
I thought the oneWaySync attribute was in the replication/sync agreement
entry, not in the ipa-winsync plugin config entry?
> Freeipa-users mailing list
Freeipa-users mailing list