On 05/14/2013 07:57 AM, Rob Crittenden wrote:
James A wrote:
Hello all,

I have been playing with trying to set up synchronization between
windows AD --> IPA  following the instructions at
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

A few questions arise;

1.) The documentation (specifically on
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html),
(under table 9.2) talks about options to the "ipa-replica-manage
connect" command. Among others, --bindpw and --passsync.  With --binddn
we specify the "full user DN of the synchronization identity" (and it's
password with --bindpw ... but I fail to understand which users password
should be used for "--passsync"??  Is it the same user?

No, a special IPA system account user is needed so the PassSync service running in AD can bind to the IPA LDAP server to make password changes. This entry needs to be created in IPA regardless of whether you are using the PassSync service or not.

So binddn/bindpw is for the AD user we use to bind from IPA to AD, and passsync is the password set on the IPA passsync account.

2.) The documentation says that the "synchronization identity" (see also
above) must exist in the AD domain and "must have replicator, read,
search and write permissions on the AD subtree.  What I am trying to do
is create a one way sync from AD --> IPA  and I would really like to
avoid using a user (for synching) that has write permissions (in the
AD).  All my tries in setting up synchronization fails unless I add the
synch-user to the group "Administrators". I have tried (and failed)
using "account admins" etc.   Any pointers here would be great. Sorry
for my ignorance when it comes to Windows. I am sure I am missing
something obvious.

3.) I follow the instructions under "9.4.5"
(https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync)
to setup Uni-directional sync. (only AD --> IPA), and yet, when I go to
remove an account in IPA it gets removed also in the AD.  (This I really
want to avoid, thus the need for a read-only user to do the
synchronization - see question 2).

I'm not really sure about #2 or #3. Hopefully one of the 389-ds devs will chime in with some suggestions.

Write access is not required if you are only doing one way sync.
Here is the information about adding the specific rights to the windows sync user
http://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights



All in all I think the FreeIPA project is amazing and it really gives us
in the Linux community something we haven't had before.   If I can iron
out the problems above I am sure it will become a great tool for me and
my client.

Glad you like it!

cheers

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to