On Thu, 12 Feb 2015, Nicolas Zin wrote:




The is is treated as the ultimate source so adds should go only from AD
to IPA but you need the modify to work both ways otherwise your account
state will get out of sync.
Whatever is required by docs is the minimal privilege you need to have
to sync users.

However did you consider trust?
It us a two way trust but it acts as a one way trust.

I know, but my customer don't want a two-way trust, whatever it means:
- it fear some security concern with a two-way.
We've been through this multiple times, check freeipa-users@ archives
for arguments for and against.

- if he migrates its AD into new version or new topology, he fears to encounter 
some migration path issue
Cross-forest trust is the standard feature of AD, we foresee no
migration path issues and it works with everything from Windows Server
2003 to Windows Server 2012R2 (though Red Hat only supports cross-forest trust
starting with Windows Server 2008 onwards but this is mostly because
2003 is already out of support by Microsoft).

So it has been decided to go the winsync way.

btw, I manage to make my one way replication working, with less
privileges, following
http://directory.fedoraproject.org/docs/389ds/howto/howto-windowssync.html#creating-ad-user-with-replication-rights

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to