So if I remove the IPA Password Sync user from the Account Operators then 
delete a user from IPA it won't replicate to Active Directory.
When I create a user on the Active Directory side it will replicate it to IPA.

So I started testing out the password sync to see if that will work but I am 
not having any luck with it (even when our password sync user on the windows 
side is added to Account Operators).

I think I know the issue but I am having trouble finding out the back end of 
the IPA Directory structure.

In the /var/log/dirsrv/slapd****/errors file the last few lines say the follow.

Ipalockout_preop - [file ipa_lockout.c, line 527] Failed to retrieve entry 
"uid=passsyncuser,cn=sysaccounts,cn=etc,dc=ad,dc=ca" : 32

>From looking at that I assume the passsync user I created on the IPA side does 
>not live under the sysaccounts CN.
So I guess what I'm looking for is the backend structure of how the users are 
Does his entry in the backend of IPA actually look like this;




-----Original Message-----
From: Rich Megginson [mailto:rmegg...@redhat.com] 
Sent: Tuesday, January 22, 2013 3:04 PM
To: Rob Crittenden
Cc: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues

On 01/22/2013 11:46 AM, Rob Crittenden wrote:
> Joseph, Matthew (EXP) wrote:
>> Hello,
>> I'm trying to configure the oneWaySync option for IPA so only the
>> Windows AD can replicate changes to IPA.
>> When I use the command that I listed below it says it works but when I
>> delete a user form IPA it will then delete the user in Active Directory.
>> Is my command listed below correct? Anyone able to help?
>> Parameters:
>> Server = rhserver
>> Domain = redhat.ca
>> Password = 12345678
>> Contents of /tmp/unisync;
>> dn: cn=ipa-winsync,cn=plugins,cn=config
>> changetype: modify
>> replace: oneWaySync
>> oneWaySync: From Windows
>> So I enter the following command;
>> *ldapmodify -x -D "dc=redhat,dc=ca" -w 12345678 -h rhserver.redhat.ca -f
>> /tmp/unisync*
> There should be no space in oneWaySync, it should be fromWindows.
I thought the oneWaySync attribute was in the replication/sync agreement 
entry, not in the ipa-winsync plugin config entry?
> rob
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Freeipa-users mailing list

Reply via email to