Hi, Petr

all steps listed in section 7.4 of Windows integration guide have been done.


user for sync is 'cn=ipa,cn=users,dc=examplemedia,dc=net'


and l have been verified it with ldapsearch, detail cmd as below:
# ldapsearch -H ldap://ipaad.examplemedia.net -D 
'cn=ipa,cn=users,dc=examplemedia,dc=net' -w 'RedHat1!' -b 
"cn=users,dc=examplemedia,dc=net" -LLL -ZZ


and sync cmd is created by: 


# ipa-replica-manage connect --winsync 
--binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='RedHat1!' 
--passsync='redhatredhat' --cacert='/etc/openldap/cacerts/ad.cer' 
--win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net


after it has been created, i have also force-sync it. 


# ipa-replica-manage force-sync --from=ipaad.examplemedia.net
Directory Manager password:


ipa: INFO: Setting agreement 
cn=meToipaad.examplemedia.net,cn=replica,cn=dc\=dev\,dc\=example\,dc\=net,cn=mapping
 tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement 
cn=meToipaad.examplemedia.net,cn=replica,cn=dc\=dev\,dc\=example\,dc\=net,cn=mapping
 tree,cn=config




root@ipaserver:/var/log/dirsrv/slapd-DEV-EXAMPLE-NET · 06:47 AM Tue May 03 ·
!41 # echo $?
0



Nothing error was reported. Any debug info or log i can provide for further 
analysis? 


Thanks


Matrix




------------------ Original ------------------
From:  "Petr Vobornik";<pvobo...@redhat.com>;
Date:  Mon, May 2, 2016 02:46 AM
To:  "Matrix"<matrix...@qq.com>; "freeipa-users"<freeipa-users@redhat.com>; 

Subject:  Re: [Freeipa-users] is it possible to use 'ipa-replica' to 
syncuserbetween different suffix AD and IPA domain?



On 04/28/2016 05:30 PM, Matrix wrote:
> Hi, Petr
> 
> Thanks for your quickly reply.
> 
> I want to integrated linux servers with existed AD, centralized manage 
> HBAC/Sudo 
> rules.
> 
> So i have setup a standalone IPA server with domain 'example.net', trying to 
> sync users from existed AD to it with following cmd:
> 
> ipa-replica-manage connect --winsync 
> --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='XXXX' 
> --passsync='XXXX' --cacert='/etc/openldap/cacerts/ipaad.cer' 
> --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net
> 
> 
> After it has been successfully established, users in AD did not sync to IPA.

Before we go into debugging, please make sure that you have done the
steps described in section 7.4 of Windows integration guide:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html

> 
> 
> For 'trusts' integration method, since user did not sync to IPA at all, how 
> to 
> set sudo/HBAC rules for users? I have not tried it.
> 
> 
> Matrix
> 
> 
> 
> 
> ------------------ Original ------------------
> *From: * "Petr Vobornik";<pvobo...@redhat.com>;
> *Date: * Thu, Apr 28, 2016 11:21 PM
> *To: * "Matrix"<matrix...@qq.com>; "freeipa-users"<freeipa-users@redhat.com>;
> *Subject: * Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync 
> userbetween different suffix AD and IPA domain?
> 
> On 04/28/2016 04:44 PM, Matrix wrote:
>  > Hi, all
>  >
>  > I am trying to do a centrelized solution
>  >
>  > AD domain is 'examplemedia.net'
>  >
>  > IPA domain is 'example.net'
>  >
>  > After ipa-replica has been established, i found that nothing has been 
> synced
>  > from AD to IPA.
>  >
>  > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>  >
>  > I doubt that for different suffix is supported ?  If so, anyone can show 
> some
>  > hint for me to investigate more?
>  >
>  > Thanks for your kindly help.
>  >
>  > Matrix
> 
> Hello,
> 
> what is your goal and current setup?
> 
> By "ipa-replica has been established" do you mean that you installed a
> new currently standalone IPA server? And connected it somehow with AD?
> 
> Or did you run `ipa-replica-manage connect --winsync ...`
> 
> It would be good to mention that IPA server[1] cannot be a replica of an
> AD server. But it can integrate with it. Either by using
> winsync(synchronization) or the recommended solution: Trusts [2].
> 
> Documentation:
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
> [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html
> 
> HTH
> -- 
> Petr Vobornik
> 


-- 
Petr Vobornik
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to