On Tue, May 14, 2013 at 5:07 PM, Rich Megginson <rmegg...@redhat.com> wrote:

> On 05/14/2013 07:57 AM, Rob Crittenden wrote:
>> James A wrote:
>>> Hello all,
>>> I have been playing with trying to set up synchronization between
>>> windows AD --> IPA  following the instructions at
>>> https://access.redhat.com/**site/documentation/en-US/Red_**
>>> Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**index.html<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html>
>>> A few questions arise;
>>> 1.) The documentation (specifically on
>>> https://access.redhat.com/**site/documentation/en-US/Red_**
>>> Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**
>>> managing-sync-agmt.html<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html>),
>>> (under table 9.2) talks about options to the "ipa-replica-manage
>>> connect" command. Among others, --bindpw and --passsync.  With --binddn
>>> we specify the "full user DN of the synchronization identity" (and it's
>>> password with --bindpw ... but I fail to understand which users password
>>> should be used for "--passsync"??  Is it the same user?
>> No, a special IPA system account user is needed so the PassSync service
>> running in AD can bind to the IPA LDAP server to make password changes.
>> This entry needs to be created in IPA regardless of whether you are using
>> the PassSync service or not.
>> So binddn/bindpw is for the AD user we use to bind from IPA to AD, and
>> passsync is the password set on the IPA passsync account.
>>  2.) The documentation says that the "synchronization identity" (see also
>>> above) must exist in the AD domain and "must have replicator, read,
>>> search and write permissions on the AD subtree.  What I am trying to do
>>> is create a one way sync from AD --> IPA  and I would really like to
>>> avoid using a user (for synching) that has write permissions (in the
>>> AD).  All my tries in setting up synchronization fails unless I add the
>>> synch-user to the group "Administrators". I have tried (and failed)
>>> using "account admins" etc.   Any pointers here would be great. Sorry
>>> for my ignorance when it comes to Windows. I am sure I am missing
>>> something obvious.
>>> 3.) I follow the instructions under "9.4.5"
>>> (https://access.redhat.com/**site/documentation/en-US/Red_**
>>> Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**
>>> managing-sync-agmt.html#**unidirectional-sync<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync>)
>>> to setup Uni-directional sync. (only AD --> IPA), and yet, when I go to
>>> remove an account in IPA it gets removed also in the AD.  (This I really
>>> want to avoid, thus the need for a read-only user to do the
>>> synchronization - see question 2).
>> I'm not really sure about #2 or #3. Hopefully one of the 389-ds devs will
>> chime in with some suggestions.
> Write access is not required if you are only doing one way sync.
> Here is the information about adding the specific rights to the windows
> sync user
> http://port389.org/wiki/Howto:**WindowsSync#Creating_AD_User_**
> with_Replication_Rights<http://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights>

BINGO :)  Thank you!  Now I am very close!

The instructions read "In the 'Permissions for Windows Sync' list, make
sure Read is checked under the Allow column".   This I don't have (I can't
find this setting where the instructions say it should be).... I do have
"replicate directory changes", "replicating directory changes all",
"replication synchronization" and "monitor active directory replication".
When I set "Replication Synchronization" and "Replicate Directory Changes"
permissions on the user, I can sync new accounts using this useraccount.


When I delete a user on the IPA server, then sync again the user doesn't
show up in IPA.
The good news is that the user doesn't get deleted in the AD, but I can't
sync it back to the IPA.

If I create a new user in the AD it gets synced ok. (to IPA).

I realize some of these are more windows/AD-centric issues, but given that
I use IPA for syncing from the AD I hope maybe someone can shed some (more)
light on this on this maillist....



>>  All in all I think the FreeIPA project is amazing and it really gives us
>>> in the Linux community something we haven't had before.   If I can iron
>>> out the problems above I am sure it will become a great tool for me and
>>> my client.
>> Glad you like it!
>> cheers
>> rob
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
Freeipa-users mailing list

Reply via email to