Hello all,

I have been playing with trying to set up synchronization between windows
AD --> IPA  following the instructions at

A few questions arise;

1.) The documentation (specifically on
(under table 9.2) talks about options to the "ipa-replica-manage connect"
command. Among others, --bindpw and --passsync.  With --binddn we specify
the "full user DN of the synchronization identity" (and it's password with
--bindpw ... but I fail to understand which users password should be used
for "--passsync"??  Is it the same user?

2.) The documentation says that the "synchronization identity" (see also
above) must exist in the AD domain and "must have replicator, read, search
and write permissions on the AD subtree.  What I am trying to do is create
a one way sync from AD --> IPA  and I would really like to avoid using a
user (for synching) that has write permissions (in the AD).  All my tries
in setting up synchronization fails unless I add the synch-user to the
group "Administrators". I have tried (and failed) using "account admins"
etc.   Any pointers here would be great. Sorry for my ignorance when it
comes to Windows. I am sure I am missing something obvious.

3.) I follow the instructions under "9.4.5" (
to setup Uni-directional sync. (only AD --> IPA), and yet, when I go to
remove an account in IPA it gets removed also in the AD.  (This I really
want to avoid, thus the need for a read-only user to do the synchronization
- see question 2).

All in all I think the FreeIPA project is amazing and it really gives us in
the Linux community something we haven't had before.   If I can iron out
the problems above I am sure it will become a great tool for me and my

Any input would be most appreciated.


Freeipa-users mailing list

Reply via email to