> The is is treated as the ultimate source so adds should go only from AD 
> to IPA but you need the modify to work both ways otherwise your account 
> state will get out of sync.
> Whatever is required by docs is the minimal privilege you need to have 
> to sync users.
> However did you consider trust?
> It us a two way trust but it acts as a one way trust.

I know, but my customer don't want a two-way trust, whatever it means:
- it fear some security concern with a two-way.
- if he migrates its AD into new version or new topology, he fears to encounter 
some migration path issue

So it has been decided to go the winsync way.

btw, I manage to make my one way replication working, with less privileges, 

Thank you


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to