On 05/15/2013 01:31 AM, James A wrote:
On Wed, May 15, 2013 at 9:02 AM, James A <ja...@atia.se
<mailto:ja...@atia.se>> wrote:
On Tue, May 14, 2013 at 5:07 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:
On 05/14/2013 07:57 AM, Rob Crittenden wrote:
James A wrote:
Hello all,
I have been playing with trying to set up
synchronization between
windows AD --> IPA following the instructions at
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
A few questions arise;
1.) The documentation (specifically on
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html),
(under table 9.2) talks about options to the
"ipa-replica-manage
connect" command. Among others, --bindpw and
--passsync. With --binddn
we specify the "full user DN of the synchronization
identity" (and it's
password with --bindpw ... but I fail to understand
which users password
should be used for "--passsync"?? Is it the same user?
No, a special IPA system account user is needed so the
PassSync service running in AD can bind to the IPA LDAP
server to make password changes. This entry needs to be
created in IPA regardless of whether you are using the
PassSync service or not.
So binddn/bindpw is for the AD user we use to bind from
IPA to AD, and passsync is the password set on the IPA
passsync account.
2.) The documentation says that the "synchronization
identity" (see also
above) must exist in the AD domain and "must have
replicator, read,
search and write permissions on the AD subtree. What
I am trying to do
is create a one way sync from AD --> IPA and I would
really like to
avoid using a user (for synching) that has write
permissions (in the
AD). All my tries in setting up synchronization fails
unless I add the
synch-user to the group "Administrators". I have tried
(and failed)
using "account admins" etc. Any pointers here would
be great. Sorry
for my ignorance when it comes to Windows. I am sure I
am missing
something obvious.
3.) I follow the instructions under "9.4.5"
(https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync)
to setup Uni-directional sync. (only AD --> IPA), and
yet, when I go to
remove an account in IPA it gets removed also in the
AD. (This I really
want to avoid, thus the need for a read-only user to
do the
synchronization - see question 2).
I'm not really sure about #2 or #3. Hopefully one of the
389-ds devs will chime in with some suggestions.
Write access is not required if you are only doing one way sync.
Here is the information about adding the specific rights to
the windows sync user
http://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights
BINGO :) Thank you! Now I am very close!
The instructions read "In the 'Permissions for Windows Sync' list,
make sure Read is checked under the Allow column". This I don't
have (I can't find this setting where the instructions say it
should be).... I do have "replicate directory changes",
"replicating directory changes all", "replication synchronization"
and "monitor active directory replication".
When I set "Replication Synchronization" and "Replicate Directory
Changes" permissions on the user, I can sync new accounts using
this useraccount.
But...
When I delete a user on the IPA server, then sync again the user
doesn't show up in IPA.
The good news is that the user doesn't get deleted in the AD, but
I can't sync it back to the IPA.
If I create a new user in the AD it gets synced ok. (to IPA).
I realize some of these are more windows/AD-centric issues, but
given that I use IPA for syncing from the AD I hope maybe someone
can shed some (more) light on this on this maillist....
thanks,
//James.
For what it's worth, I just noticed that if I remove an account on the
IPA server, go over to the AD, change an attribute (such as set it to
"disabled"), and sync again it syncronizes over no problem. If I
remove an account (on IPA) without touching it on the AD, it won't
syncronize however.
IPA polls for changes in AD every 5 minutes by default. You can change
the winSyncInterval if you want this to happen more often. Also, the
polling only looks for entries that have changed, which is why it only
syncs from AD to IPA if you change something.
//J
All in all I think the FreeIPA project is amazing and
it really gives us
in the Linux community something we haven't had
before. If I can iron
out the problems above I am sure it will become a
great tool for me and
my client.
Glad you like it!
cheers
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users