> Hello all,
> I have been playing with trying to set up synchronization between windows AD
> --> IPA following the instructions at
> A few questions arise;
> 1.) The documentation (specifically on
> ), (under table 9.2) talks about options to the "ipa-replica-manage connect"
> command. Among others, --bindpw and --passsync. With --binddn we specify the
> "full user DN of the synchronization identity" (and it's password with
> --bindpw ... but I fail to understand which users password should be used
> for "--passsync"?? Is it the same user?
The "--passsync" password is the password that you *will* use for the
"passsync" user should you install the password synchronization package on your
AD controllers. You are essentially setting this password preemptively.
> 2.) The documentation says that the "synchronization identity" (see also
> above) must exist in the AD domain and "must have replicator, read, search
> and write permissions on the AD subtree. What I am trying to do is create a
> one way sync from AD --> IPA and I would really like to avoid using a user
> (for synching) that has write permissions (in the AD). All my tries in
> setting up synchronization fails unless I add the synch-user to the group
> "Administrators". I have tried (and failed) using "account admins" etc. Any
> pointers here would be great. Sorry for my ignorance when it comes to
> Windows. I am sure I am missing something obvious.
Someone else can probably comment on this, but the IPA server will need to bind
to the AD controller and pull the necessary information from the
directory...which makes these rights a necessity.
> 3.) I follow the instructions under "9.4.5" (
> ) to setup Uni-directional sync. (only AD --> IPA), and yet, when I go to
> remove an account in IPA it gets removed also in the AD. (This I really want
> to avoid, thus the need for a read-only user to do the synchronization - see
> question 2).
I do not recall IPA ever removing users from AD. From what I remember, only
certain attributes were bi-directional and deletes were not performed on AD.
Has this changed?
> All in all I think the FreeIPA project is amazing and it really gives us in
> the Linux community something we haven't had before. If I can iron out the
> problems above I am sure it will become a great tool for me and my client.
> Any input would be most appreciated.
> Freeipa-users mailing list
Freeipa-users mailing list