On 05/15/2013 01:31 AM, James A wrote:

On Wed, May 15, 2013 at 9:02 AM, James A <ja...@atia.se <mailto:ja...@atia.se>> wrote:

    On Tue, May 14, 2013 at 5:07 PM, Rich Megginson
    <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

        On 05/14/2013 07:57 AM, Rob Crittenden wrote:

            James A wrote:

                Hello all,

                I have been playing with trying to set up
                synchronization between
                windows AD --> IPA  following the instructions at

                A few questions arise;

                1.) The documentation (specifically on

                (under table 9.2) talks about options to the
                connect" command. Among others, --bindpw and
                --passsync.  With --binddn
                we specify the "full user DN of the synchronization
                identity" (and it's
                password with --bindpw ... but I fail to understand
                which users password
                should be used for "--passsync"??  Is it the same user?

            No, a special IPA system account user is needed so the
            PassSync service running in AD can bind to the IPA LDAP
            server to make password changes. This entry needs to be
            created in IPA regardless of whether you are using the
            PassSync service or not.

            So binddn/bindpw is for the AD user we use to bind from
            IPA to AD, and passsync is the password set on the IPA
            passsync account.

                2.) The documentation says that the "synchronization
                identity" (see also
                above) must exist in the AD domain and "must have
                replicator, read,
                search and write permissions on the AD subtree.  What
                I am trying to do
                is create a one way sync from AD --> IPA  and I would
                really like to
                avoid using a user (for synching) that has write
                permissions (in the
                AD).  All my tries in setting up synchronization fails
                unless I add the
                synch-user to the group "Administrators". I have tried
                (and failed)
                using "account admins" etc.   Any pointers here would
                be great. Sorry
                for my ignorance when it comes to Windows. I am sure I
                am missing
                something obvious.

                3.) I follow the instructions under "9.4.5"

                to setup Uni-directional sync. (only AD --> IPA), and
                yet, when I go to
                remove an account in IPA it gets removed also in the
                AD.  (This I really
                want to avoid, thus the need for a read-only user to
                do the
                synchronization - see question 2).

            I'm not really sure about #2 or #3. Hopefully one of the
            389-ds devs will chime in with some suggestions.

        Write access is not required if you are only doing one way sync.
        Here is the information about adding the specific rights to
        the windows sync user

    BINGO :)  Thank you!  Now I am very close!

    The instructions read "In the 'Permissions for Windows Sync' list,
    make sure Read is checked under the Allow column".   This I don't
    have (I can't find this setting where the instructions say it
    should be).... I do have "replicate directory changes",
    "replicating directory changes all", "replication synchronization"
    and "monitor active directory replication".
    When I set "Replication Synchronization" and "Replicate Directory
    Changes" permissions on the user, I can sync new accounts using
    this useraccount.


    When I delete a user on the IPA server, then sync again the user
    doesn't show up in IPA.
    The good news is that the user doesn't get deleted in the AD, but
    I can't sync it back to the IPA.

    If I create a new user in the AD it gets synced ok. (to IPA).

    I realize some of these are more windows/AD-centric issues, but
    given that I use IPA for syncing from the AD I hope maybe someone
    can shed some (more) light on this on this maillist....



For what it's worth, I just noticed that if I remove an account on the IPA server, go over to the AD, change an attribute (such as set it to "disabled"), and sync again it syncronizes over no problem. If I remove an account (on IPA) without touching it on the AD, it won't syncronize however.

IPA polls for changes in AD every 5 minutes by default. You can change the winSyncInterval if you want this to happen more often. Also, the polling only looks for entries that have changed, which is why it only syncs from AD to IPA if you change something.


                All in all I think the FreeIPA project is amazing and
                it really gives us
                in the Linux community something we haven't had
                before.   If I can iron
                out the problems above I am sure it will become a
                great tool for me and
                my client.

            Glad you like it!



            Freeipa-users mailing list
            Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>

Freeipa-users mailing list

Reply via email to