Hi, Reading section 7.2...this looks like a bi-directional agreement.....I want to do a uni-directional agreement, so I want a one way password sync out of AD into IPA and when a new user is created that user get created in IPA and get an IPA UID.
So can I set lower permissions? I would assume so.... "7.2. Setting up Active Directory for Synchronization Synchronizing user accounts alone is enabled within IPA, so all that is necessary is to set up a sync agreement (Section 7.3.2, “Creating Synchronization Agreements”). On the Windows server, it is necessary to create the user that the IPA server will use to connect to the Active Directory domain. The process for creating a user in Active Directory is covered in the Windows server documentation at http://technet.microsoft.com/en-us/library/cc732336.aspx. The new user account must have the proper permissions: • Grant the sync user account Replicating directory changes rights to the synchronized Active Directory subtree. Replicator rights are required for the sync user to perform synchronization operations. Replicator rights are described in http://support.microsoft.com/kb/303972. • Add the sync user as a member of the Account Operator and Enterprise Read-Only Domain controller groups. It is not necessary for the user to belong to the full Domain Admin group." regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users