On 10/31/2014 11:49 AM, Rob Crittenden wrote:
Edouard Guigné wrote:
Hello Rob,
Thank you for your answer.
Do you mean it should already work ?
Or I have to do this on the FreeIPA server :
|rm /etc/dirsrv/slapd-INSTNAME/schema/10rfc2307.ldif
cp /usr/share/dirsrv/data/10rfc2307bis.ldif /etc/dirsrv/slapd-INSTNAME/schema
Sorry, I guess I was a little terse.
The nisDomain is already defined for IPA so you can skip that bit.
The Posix Winsync Plugin is disabled by default. You'll need to enable
it and configure it to match your environment. See the wiki page for
configuration details.
You can either enable and configure it online by using ldapmodify and
binding as the Directory Manager or by shutting down 389-ds and
modifying dse.ldif, then restarting it (or use a tool like Apache
Directory Studio).
rob
|
Best Regards, have a nice we.
Ed
Le 31/10/2014 16:04, Rob Crittenden a écrit :
Edouard Guigné wrote:
Hello freeipa Users,
I am working on a sync agreement between AD server -> FreeIPA server
(fedora 20)
I follow the documentation, my sync works beetwen AD -> FreeIPA with
"ipa-replica-manage connect --winsync ..."
However, I would like to extract attributes from my AD like :
- uidNumber
- gidNumber
- unixHomeDirectory
- loginShell
- msSFU30NisDomain
My AD server is 2008 R2 with with Subsystem for UNIX-based Applications.
I would like rerieve these attributes in my freeipa server after sync.
I had a look on google, and find informations like this :
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-sync-agmt.html#tab.sync-agmt-attrs
But I did not succeed with it.
May someone help me ?
It should already work:
http://www.port389.org/docs/389ds/design/winsync-posix.html
rob
I just want to mention that this is not a recommended approach.
While the plugin exists in DS it is not enabled or supported for IPA.
The supported way to deal with POSIX attribute in AD is to use trust
with AD rather than sync.
Is this a one time move of the accounts from AD to IPA and you plan to
turn the plugin off after initial sync?
If not it will be a configuration we would recommend.
If you just want to copy attributes using ipa migrate-ds or dumping
accounts into LDIF and then loading LDIF would be a better option.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
