Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)
On 03/17/2014 03:33 PM, Todd Maugh wrote: I'm trying to sync all of my AD to IPA, I don't need to retain any of the original windows directory structure once in IPA. I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's on true by default) Yes, it is true by default. dn: cn=ipa-winsync,cn=plugins,cn=config I really need to be able to sync more than just the cn=users subtree There really isn't explicit support for this. If it doesn't work to set your AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not going to work until 389 adds support for that. And I can find no documentation or help on line. Because there probably isn't any. Has anyone had any success or practice with this? See above. Thanks -Todd Todd Maugh Sr System Engineer *Boingo Wireless* *tma...@boingo.com* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)
Thanks Rich, I am able to create a successful winsync agreement from the top level. Unfortunately, when I do this. I do not see any of the accounts from the sub trees populate my ipa server. Is it possible to have all the subtrees (ous) live under cn=users. If I make this change to AD would IPA then sync all the accounts from the subtrees? I cant believe I am the first person with this issue or need. Thanks again in advance. From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Monday, March 17, 2014 2:44 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:33 PM, Todd Maugh wrote: I'm trying to sync all of my AD to IPA, I don't need to retain any of the original windows directory structure once in IPA. I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's on true by default) Yes, it is true by default. dn: cn=ipa-winsync,cn=plugins,cn=config I really need to be able to sync more than just the cn=users subtree There really isn't explicit support for this. If it doesn't work to set your AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not going to work until 389 adds support for that. And I can find no documentation or help on line. Because there probably isn't any. Has anyone had any success or practice with this? See above. Thanks -Todd Todd Maugh Sr System Engineer Boingo Wireless tma...@boingo.commailto:tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)
On 03/17/2014 03:52 PM, Todd Maugh wrote: Thanks Rich, I am able to create a successful winsync agreement from the top level. Unfortunately, when I do this. I do not see any of the accounts from the sub trees populate my ipa server. Ok, so it doesn't work. Is it possible to have all the subtrees (ous) live under cn=users.If I make this change to AD would IPA then sync all the accounts from the subtrees? Yes. I cant believe I am the first person with this issue or need. You are certainly not - we have a couple of 389 to address this and similar issues with winsync. https://fedorahosted.org/389/ticket/460 Unfortunately, this fix has been targeted for F20 (389-ds-base-1.3.2), and we don't have plans to backport to EL6. Note that winsync is always going to be more or less painful - it is not, was never designed to be, and never will be a full blown meta-directory solution. For more information: https://fedorahosted.org/389/query?component=Sync+Servicestatus=acceptedstatus=assignedstatus=newstatus=reopenedcol=idcol=summarycol=statuscol=typecol=prioritycol=milestonecol=componentorder=priorityreport=16 That's why we recommend that the best long term solution is cross domain trust - that removes winsync from the picture. Thanks again in advance. *From:*Rich Megginson [mailto:rmegg...@redhat.com] *Sent:* Monday, March 17, 2014 2:44 PM *To:* Todd Maugh; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:33 PM, Todd Maugh wrote: I'm trying to sync all of my AD to IPA, I don't need to retain any of the original windows directory structure once in IPA. I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's on true by default) Yes, it is true by default. dn: cn=ipa-winsync,cn=plugins,cn=config I really need to be able to sync more than just the cn=users subtree There really isn't explicit support for this. If it doesn't work to set your AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not going to work until 389 adds support for that. And I can find no documentation or help on line. Because there probably isn't any. Has anyone had any success or practice with this? See above. Thanks -Todd Todd Maugh Sr System Engineer *Boingo Wireless* *tma...@boingo.com mailto:tma...@boingo.com* ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)
Thanks again Rich is there some good Documentation on setting up the trust? From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Monday, March 17, 2014 3:03 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:52 PM, Todd Maugh wrote: Thanks Rich, I am able to create a successful winsync agreement from the top level. Unfortunately, when I do this. I do not see any of the accounts from the sub trees populate my ipa server. Ok, so it doesn't work. Is it possible to have all the subtrees (ous) live under cn=users.If I make this change to AD would IPA then sync all the accounts from the subtrees? Yes. I cant believe I am the first person with this issue or need. You are certainly not - we have a couple of 389 to address this and similar issues with winsync. https://fedorahosted.org/389/ticket/460 Unfortunately, this fix has been targeted for F20 (389-ds-base-1.3.2), and we don't have plans to backport to EL6. Note that winsync is always going to be more or less painful - it is not, was never designed to be, and never will be a full blown meta-directory solution. For more information: https://fedorahosted.org/389/query?component=Sync+Servicestatus=acceptedstatus=assignedstatus=newstatus=reopenedcol=idcol=summarycol=statuscol=typecol=prioritycol=milestonecol=componentorder=priorityreport=16 That's why we recommend that the best long term solution is cross domain trust - that removes winsync from the picture. Thanks again in advance. From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Monday, March 17, 2014 2:44 PM To: Todd Maugh; freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:33 PM, Todd Maugh wrote: I'm trying to sync all of my AD to IPA, I don't need to retain any of the original windows directory structure once in IPA. I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's on true by default) Yes, it is true by default. dn: cn=ipa-winsync,cn=plugins,cn=config I really need to be able to sync more than just the cn=users subtree There really isn't explicit support for this. If it doesn't work to set your AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not going to work until 389 adds support for that. And I can find no documentation or help on line. Because there probably isn't any. Has anyone had any success or practice with this? See above. Thanks -Todd Todd Maugh Sr System Engineer Boingo Wireless tma...@boingo.commailto:tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)
On 03/17/2014 06:04 PM, Todd Maugh wrote: Thanks again Rich is there some good Documentation on setting up the trust? http://www.freeipa.org/page/IPAv3_testing_AD_trust *From:*Rich Megginson [mailto:rmegg...@redhat.com] *Sent:* Monday, March 17, 2014 3:03 PM *To:* Todd Maugh; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:52 PM, Todd Maugh wrote: Thanks Rich, I am able to create a successful winsync agreement from the top level. Unfortunately, when I do this. I do not see any of the accounts from the sub trees populate my ipa server. Ok, so it doesn't work. Is it possible to have all the subtrees (ous) live under cn=users.If I make this change to AD would IPA then sync all the accounts from the subtrees? Yes. I cant believe I am the first person with this issue or need. You are certainly not - we have a couple of 389 to address this and similar issues with winsync. https://fedorahosted.org/389/ticket/460 Unfortunately, this fix has been targeted for F20 (389-ds-base-1.3.2), and we don't have plans to backport to EL6. Note that winsync is always going to be more or less painful - it is not, was never designed to be, and never will be a full blown meta-directory solution. For more information: https://fedorahosted.org/389/query?component=Sync+Servicestatus=acceptedstatus=assignedstatus=newstatus=reopenedcol=idcol=summarycol=statuscol=typecol=prioritycol=milestonecol=componentorder=priorityreport=16 https://fedorahosted.org/389/query?component=Sync+Servicestatus=acceptedstatus=assignedstatus=newstatus=reopenedcol=idcol=summarycol=statuscol=typecol=prioritycol=milestonecol=componentorder=priorityreport=16 That's why we recommend that the best long term solution is cross domain trust - that removes winsync from the picture. Thanks again in advance. *From:*Rich Megginson [mailto:rmegg...@redhat.com] *Sent:* Monday, March 17, 2014 2:44 PM *To:* Todd Maugh; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:33 PM, Todd Maugh wrote: I'm trying to sync all of my AD to IPA, I don't need to retain any of the original windows directory structure once in IPA. I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's on true by default) Yes, it is true by default. dn: cn=ipa-winsync,cn=plugins,cn=config I really need to be able to sync more than just the cn=users subtree There really isn't explicit support for this. If it doesn't work to set your AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not going to work until 389 adds support for that. And I can find no documentation or help on line. Because there probably isn't any. Has anyone had any success or practice with this? See above. Thanks -Todd Todd Maugh Sr System Engineer *Boingo Wireless* *tma...@boingo.com mailto:tma...@boingo.com* ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)
On 03/17/2014 04:04 PM, Todd Maugh wrote: Thanks again Rich is there some good Documentation on setting up the trust? I'm not familiar with trust. There are other folks in the IPA community who are. *From:*Rich Megginson [mailto:rmegg...@redhat.com] *Sent:* Monday, March 17, 2014 3:03 PM *To:* Todd Maugh; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:52 PM, Todd Maugh wrote: Thanks Rich, I am able to create a successful winsync agreement from the top level. Unfortunately, when I do this. I do not see any of the accounts from the sub trees populate my ipa server. Ok, so it doesn't work. Is it possible to have all the subtrees (ous) live under cn=users.If I make this change to AD would IPA then sync all the accounts from the subtrees? Yes. I cant believe I am the first person with this issue or need. You are certainly not - we have a couple of 389 to address this and similar issues with winsync. https://fedorahosted.org/389/ticket/460 Unfortunately, this fix has been targeted for F20 (389-ds-base-1.3.2), and we don't have plans to backport to EL6. Note that winsync is always going to be more or less painful - it is not, was never designed to be, and never will be a full blown meta-directory solution. For more information: https://fedorahosted.org/389/query?component=Sync+Servicestatus=acceptedstatus=assignedstatus=newstatus=reopenedcol=idcol=summarycol=statuscol=typecol=prioritycol=milestonecol=componentorder=priorityreport=16 That's why we recommend that the best long term solution is cross domain trust - that removes winsync from the picture. Thanks again in advance. *From:*Rich Megginson [mailto:rmegg...@redhat.com] *Sent:* Monday, March 17, 2014 2:44 PM *To:* Todd Maugh; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:33 PM, Todd Maugh wrote: I'm trying to sync all of my AD to IPA, I don't need to retain any of the original windows directory structure once in IPA. I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's on true by default) Yes, it is true by default. dn: cn=ipa-winsync,cn=plugins,cn=config I really need to be able to sync more than just the cn=users subtree There really isn't explicit support for this. If it doesn't work to set your AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not going to work until 389 adds support for that. And I can find no documentation or help on line. Because there probably isn't any. Has anyone had any success or practice with this? See above. Thanks -Todd Todd Maugh Sr System Engineer *Boingo Wireless* *tma...@boingo.com mailto:tma...@boingo.com* ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
