<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 09/17/2012 03:34 PM, Steven Jones wrote:
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E4053CA5458@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0,
0); font-size: 10pt;">Hi,<br>
<br>
Im confused as section 8.4.5 page 182 first para....<br>
<br>
of the Red Hat admin guide for IPA says this (its
bi-directional).....so that section needs updating?<br>
</div>
</blockquote>
In IPA, adding users is uni-directional, from AD to IPA. However,
once the users are in sync, updates are bi-directional. This
includes account disable, which syncs both directions.<br>
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E4053CA5458@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<br>
<br>
<div><br>
<div style="font-family: Tahoma; font-size: 13px;">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical Specialist - Linux RHCE</p>
<p>Victoria University, Wellington, NZ</p>
<p>0064 4 463 6272<br>
</p>
</div>
</div>
<div style="font-family: Times New Roman; color: rgb(0, 0, 0);
font-size: 16px;">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF79612"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Dmitri Pal
[<a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a>]<br>
<b>Sent:</b> Tuesday, 18 September 2012 9:22 a.m.<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] winsync agreements,
mostly one way.<br>
</font><br>
</div>
<div>On 09/17/2012 04:55 PM, Steven Jones wrote:
<blockquote type="cite">
<style id="owaParaStyle" type="text/css">
<!--
p
{margin-top:0;
margin-bottom:0}
p
{margin-top:0;
margin-bottom:0}
-->
BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr; font-family: Tahoma; color:
rgb(0, 0, 0); font-size: 10pt;">
In section 8.4.5 it talks about making an agreement one
way...which is mostly what I want, so everything incl
password changes from AD to IPA. except I want account
disabled / enabled to flow both ways.<br>
<br>
So if I do a <br>
<br>
ldapmodify -x -D "cn=directory manager" -w password -p
389 -h<br>
ipaserver.example.com<br>
dn: cn=ipa-winsync,cn=plugins,cn=config<br>
changetype: modify<br>
add: oneWaySync<br>
oneWaySync: fromWindows<br>
<br>
<div>Does this effect bi-directional disabling? I assume
it does.......<br>
<br>
So then I have to do a,<br>
<br>
ldapmodify -x -D "cn=directory manager" -w password -p
389 -h<br>
ipaserver.example.com<br>
dn: cn=ipa-winsync,cn=plugins,cn=config<br>
changetype: modify<br>
ipaWinSyncAcctDisable: both<br>
<br>
is that syntax right?<br>
<br>
</div>
</div>
</blockquote>
<br>
Winsyc plugin used in IPA comes originally from DS. In the
context of IPA it can be only one way so changing this
configuration is not something we expect or would work in
IPA. In the DS context you can have two way sync of users
and groups.<br>
<br>
AFAIK (Rich please correct me) we do not replicate the
enabled/disabled status from IPA to AD.<br>
Conceptually we think of the AD as authoritative source for
the information. Allowing user to be disabled by IPA admin
and then replicate this status back violates this model and
would sound really dangerous for AD side. Are you sure that
even if that would have been allowed your AD admins would
actually permit you to do that?<br>
<br>
Anyways so far it is one of the limitations of the current
product. You can definitely explain the use case in a bit
more details and file an RFE. If the use case is compelling
we will consider it for the later release.<br>
<br>
<blockquote type="cite">
<div style="direction: ltr; font-family: Tahoma; color:
rgb(0, 0, 0); font-size: 10pt;">
<div><br>
<div style="font-family: Tahoma; font-size: 13px;">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical Specialist - Linux RHCE</p>
<p>Victoria University, Wellington, NZ</p>
<p>0064 4 463 6272</p>
</div>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader" target="_blank"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>