Re: [Freeipa-users] EXTERNAL: Re: OneWaySync Issues
Hey, So if I remove the IPA Password Sync user from the Account Operators then delete a user from IPA it won't replicate to Active Directory. When I create a user on the Active Directory side it will replicate it to IPA. So I started testing out the password sync to see if that will work but I am not having any luck with it (even when our password sync user on the windows side is added to Account Operators). I think I know the issue but I am having trouble finding out the back end of the IPA Directory structure. In the /var/log/dirsrv/slapd/errors file the last few lines say the follow. Ipalockout_preop - [file ipa_lockout.c, line 527] Failed to retrieve entry "uid=passsyncuser,cn=sysaccounts,cn=etc,dc=ad,dc=ca" : 32 >From looking at that I assume the passsync user I created on the IPA side does >not live under the sysaccounts CN. So I guess what I'm looking for is the backend structure of how the users are setup. Does his entry in the backend of IPA actually look like this; uid=passsyncuser,cn=users,dc=ipadomain,dc=ca Thanks, Matt -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, January 22, 2013 3:04 PM To: Rob Crittenden Cc: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues On 01/22/2013 11:46 AM, Rob Crittenden wrote: > Joseph, Matthew (EXP) wrote: >> Hello, >> >> I'm trying to configure the oneWaySync option for IPA so only the >> Windows AD can replicate changes to IPA. >> >> When I use the command that I listed below it says it works but when I >> delete a user form IPA it will then delete the user in Active Directory. >> >> Is my command listed below correct? Anyone able to help? >> >> Parameters: >> Server = rhserver >> Domain = redhat.ca >> Password = 12345678 >> >> Contents of /tmp/unisync; >> dn: cn=ipa-winsync,cn=plugins,cn=config >> changetype: modify >> replace: oneWaySync >> oneWaySync: From Windows >> >> So I enter the following command; >> *ldapmodify -x -D "dc=redhat,dc=ca" -w 12345678 -h rhserver.redhat.ca -f >> /tmp/unisync* > > There should be no space in oneWaySync, it should be fromWindows. I thought the oneWaySync attribute was in the replication/sync agreement entry, not in the ipa-winsync plugin config entry? > > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: OneWaySync Issues
Hello Rob, Sorry typo on my part. The command I put in is actually fromWindows Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, January 22, 2013 2:47 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues Joseph, Matthew (EXP) wrote: > Hello, > > I'm trying to configure the oneWaySync option for IPA so only the > Windows AD can replicate changes to IPA. > > When I use the command that I listed below it says it works but when I > delete a user form IPA it will then delete the user in Active Directory. > > Is my command listed below correct? Anyone able to help? > > Parameters: > Server = rhserver > Domain = redhat.ca > Password = 12345678 > > Contents of /tmp/unisync; > dn: cn=ipa-winsync,cn=plugins,cn=config > changetype: modify > replace: oneWaySync > oneWaySync: From Windows > > So I enter the following command; > *ldapmodify -x -D "dc=redhat,dc=ca" -w 12345678 -h rhserver.redhat.ca > -f > /tmp/unisync* There should be no space in oneWaySync, it should be fromWindows. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: OneWaySync Issues
Hey Rob, According to the Red Hat Identity Management documentation provided by Red hat it says to do it with the ldapmodify command. They don't mention any options during the replicator/sync agreement process about uni-directional sync. Matt -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, January 22, 2013 3:04 PM To: Rob Crittenden Cc: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues On 01/22/2013 11:46 AM, Rob Crittenden wrote: > Joseph, Matthew (EXP) wrote: >> Hello, >> >> I'm trying to configure the oneWaySync option for IPA so only the >> Windows AD can replicate changes to IPA. >> >> When I use the command that I listed below it says it works but when >> I delete a user form IPA it will then delete the user in Active Directory. >> >> Is my command listed below correct? Anyone able to help? >> >> Parameters: >> Server = rhserver >> Domain = redhat.ca >> Password = 12345678 >> >> Contents of /tmp/unisync; >> dn: cn=ipa-winsync,cn=plugins,cn=config >> changetype: modify >> replace: oneWaySync >> oneWaySync: From Windows >> >> So I enter the following command; >> *ldapmodify -x -D "dc=redhat,dc=ca" -w 12345678 -h rhserver.redhat.ca >> -f >> /tmp/unisync* > > There should be no space in oneWaySync, it should be fromWindows. I thought the oneWaySync attribute was in the replication/sync agreement entry, not in the ipa-winsync plugin config entry? > > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users