Thanks Rich,

I am able to create a successful winsync agreement from the top level.

Unfortunately, when I do this. I do not see any of the accounts from the sub 
trees populate my ipa server.

Is it possible to have all the subtrees (ous) live under cn=users. If I make 
this change to AD would IPA then sync all the accounts from the subtrees? I 
cant believe I am the first person with this issue or need.

Thanks again in advance.

From: Rich Megginson []
Sent: Monday, March 17, 2014 2:44 PM
To: Todd Maugh;
Subject: Re: [Freeipa-users] Has one successfully synched the entirety of their 
AD to IPA (multiple OUs and or Subtrees)

On 03/17/2014 03:33 PM, Todd Maugh wrote:
I'm trying to sync all of my AD to IPA, I don't need to retain any of the 
original windows directory structure once in IPA.

I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's 
on true by default)

Yes, it is true by default.
dn: cn=ipa-winsync,cn=plugins,cn=config

I really need to be able to sync more than just the cn=users subtree

There really isn't explicit support for this.  If it doesn't work to set your 
AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not 
going to work until 389 adds support for that.

And I can find no documentation or help on line.

Because there probably isn't any.

Has anyone had any success or practice with this?

See above.



Todd Maugh
Sr System Engineer
Boingo Wireless<>


Freeipa-users mailing list<>

Freeipa-users mailing list

Reply via email to