Kambiz Aghaiepour wrote:
I've established a windows sync agreement on my IPA master server using:
ipa-replica-manage add --winsync --win-subtree='cn=users,dc=mcnc,dc=org'
--binddn cn=someusergoeshere,cn=users,dc=mcnc,dc=org --bindpw
nottherealpassword --cacert /root/my.cert --passsync=someotherpass
myadserver.mcnc.org -v
Everything seems fine so far, but I have a few questions about the setup.
This should answer most of the questions below
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html
The main differences are that in IPA
* IPA will only sync user data - not groups
* IPA will not send new users to AD - the users must also be added to
AD, at which point changes to that user will be sync'd between IPA and AD
** The sync key is the uid, which must be the same as the samAccountName
on the AD side
* IPA will sync new users added to AD - IPA will change the DN and schema
** IPA will flatten the DN, removing any ou RDNs, and (optionally) store
these in the ou attribute in the user entry
* IPA will be able to force all users to be in sync with the AD
counterpart (IPA uid == AD samAccountName)
** forceSync option
1) it appear that users on the AD side that did not exist already on IPA
get created upon the initial full sync. Is there anyway to turn off
this behavior?
2) Also, new users that are created in AD are created in IPA. Can this
behavior be turned off (I think this is the same setting as #1).
3) Will new users that are created in IPA be created in AD?
No - see above
4) When a user previously created in AD be automatically deleted from
IPA when the user is deleted from AD?
yes
5) Will the user be deleted from AD if the users entry is deleted in IPA?
6) what does ntUserDeleteAccount: true do?
Thanks
Kambiz
smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users