On 11/04/2014 04:18 PM, Edouard Guigné wrote:
Hello FreeIPA Users,

I am trying to make working a sync between my AD win 2008 R2 and FreeIPA (fedora 20) server.
My goal is to retrieve all my AD users in freeIPA database.

1. With "ipa-replica-manage connect --winsync ...", I succeeded to copy users from AD to FreeIPA (via the sync agreement) But passwords have not been sync. I had to reinit password in IPA to enable user login in the freeipa domain.
Is it a normal issue ? Is there any way to sync password ?

I think this is a normal issue when using the PassSync.msi on AD and winsync (as opposed to trusts or another mechanism).


2. I tried then to sync posix attributes (from my AD which has "Subsystem for UNIX-based Applications") into the freeIPA server with activating the posix winsync plugin
I would like to extract attributes from my AD like :
- uidNumber
- gidNumber
- unixHomeDirectory
- loginShell
- msSFU30NisDomain

With posix winsync activated, the sync do not work at all... no AD users sync.
What is missing to enable it ? I follow the documentation here
http://www.port389.org/docs/389ds/design/winsync-posix.html

And enable the plugin this way :
ldapmodify -D "cn=directory manager" -w xxxxx
dn: cn=Posix Winsync API,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

Hmm - it should work.
What version of 389 are you using?
rpm -q 389-ds-base

I suggest trying it again and turning on the replication logging level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting - and see if there are any clues in the errors log.



Ed



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to