Hi, Petr

Thanks for your quickly reply.

I want to integrated linux servers with existed AD, centralized manage 
HBAC/Sudo rules. 

So i have setup a standalone IPA server with domain 'example.net', trying to 
sync users from existed AD to it with following cmd:

ipa-replica-manage connect --winsync 
--binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='XXXX' 
--passsync='XXXX' --cacert='/etc/openldap/cacerts/ipaad.cer' 
--win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net

After it has been successfully established, users in AD did not sync to IPA. 

For 'trusts' integration method, since user did not sync to IPA at all, how to 
set sudo/HBAC rules for users? I have not tried it. 


------------------ Original ------------------
From:  "Petr Vobornik";<pvobo...@redhat.com>;
Date:  Thu, Apr 28, 2016 11:21 PM
To:  "Matrix"<matrix...@qq.com>; "freeipa-users"<freeipa-users@redhat.com>; 

Subject:  Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync 
userbetween different suffix AD and IPA domain?

On 04/28/2016 04:44 PM, Matrix wrote:
> Hi, all
> I am trying to do a centrelized solution
> AD domain is 'examplemedia.net'
> IPA domain is 'example.net'
> After ipa-replica has been established, i found that nothing has been synced 
> from AD to IPA.
> IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
> I doubt that for different suffix is supported ?  If so, anyone can show some 
> hint for me to investigate more?
> Thanks for your kindly help.
> Matrix


what is your goal and current setup?

By "ipa-replica has been established" do you mean that you installed a
new currently standalone IPA server? And connected it somehow with AD?

Or did you run `ipa-replica-manage connect --winsync ...`

It would be good to mention that IPA server[1] cannot be a replica of an
AD server. But it can integrate with it. Either by using
winsync(synchronization) or the recommended solution: Trusts [2].


Petr Vobornik
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to