<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/15/2013 01:31 AM, James A wrote:<br>
</div>
<blockquote
cite="mid:CAC4BCTWB=ngjneVVnL8qptDbM1WQ65PGe8cqs5akj1AxtS6gLg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, May 15, 2013 at 9:02 AM,
James A <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:james@atia.se" target="_blank">james@atia.se</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">
<div>
<div class="h5">On Tue, May 14, 2013 at 5:07 PM,
Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
<div>On 05/14/2013 07:57 AM, Rob Crittenden
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">James
A wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hello
all,<br>
<br>
I have been playing with trying to set
up synchronization between<br>
windows AD --> IPA following the
instructions at<br>
<a moz-do-not-send="true"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html"
target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html</a>
<br>
<br>
A few questions arise;<br>
<br>
1.) The documentation (specifically on<br>
<a moz-do-not-send="true"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html"
target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html</a>),
<br>
(under table 9.2) talks about options
to the "ipa-replica-manage<br>
connect" command. Among others,
--bindpw and --passsync. With
--binddn<br>
we specify the "full user DN of the
synchronization identity" (and it's<br>
password with --bindpw ... but I fail
to understand which users password<br>
should be used for "--passsync"?? Is
it the same user?<br>
</blockquote>
<br>
No, a special IPA system account user is
needed so the PassSync service running
in AD can bind to the IPA LDAP server to
make password changes. This entry needs
to be created in IPA regardless of
whether you are using the PassSync
service or not.<br>
<br>
So binddn/bindpw is for the AD user we
use to bind from IPA to AD, and passsync
is the password set on the IPA passsync
account.<br>
<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">2.)
The documentation says that the
"synchronization identity" (see also<br>
above) must exist in the AD domain and
"must have replicator, read,<br>
search and write permissions on the AD
subtree. What I am trying to do<br>
is create a one way sync from AD
--> IPA and I would really like to<br>
avoid using a user (for synching) that
has write permissions (in the<br>
AD). All my tries in setting up
synchronization fails unless I add the<br>
synch-user to the group
"Administrators". I have tried (and
failed)<br>
using "account admins" etc. Any
pointers here would be great. Sorry<br>
for my ignorance when it comes to
Windows. I am sure I am missing<br>
something obvious.<br>
<br>
3.) I follow the instructions under
"9.4.5"<br>
(<a moz-do-not-send="true"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync"
target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync</a>)
<br>
to setup Uni-directional sync. (only
AD --> IPA), and yet, when I go to<br>
remove an account in IPA it gets
removed also in the AD. (This I
really<br>
want to avoid, thus the need for a
read-only user to do the<br>
synchronization - see question 2).<br>
</blockquote>
<br>
I'm not really sure about #2 or #3.
Hopefully one of the 389-ds devs will
chime in with some suggestions.<br>
</blockquote>
<br>
</div>
</div>
Write access is not required if you are only
doing one way sync.<br>
Here is the information about adding the
specific rights to the windows sync user<br>
<a moz-do-not-send="true"
href="http://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights"
target="_blank">http://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights</a></blockquote>
<div><br>
</div>
</div>
</div>
<div>BINGO :) Thank you! Now I am very close!</div>
<div><br>
</div>
<div>The instructions read "In the 'Permissions for
Windows Sync' list, make sure Read is checked
under the Allow column". This I don't have (I
can't find this setting where the instructions say
it should be).... I do have "replicate directory
changes", "replicating directory changes all",
"replication synchronization" and "monitor active
directory replication".</div>
<div>When I set "Replication Synchronization" and
"Replicate Directory Changes" permissions on the
user, I can sync new accounts using this
useraccount.</div>
<div><br>
</div>
<div>But...</div>
<div><br>
</div>
<div>When I delete a user on the IPA server, then
sync again the user doesn't show up in IPA.</div>
<div>The good news is that the user doesn't get
deleted in the AD, but I can't sync it back to the
IPA.</div>
<div><br>
</div>
<div>If I create a new user in the AD it gets synced
ok. (to IPA).<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>I realize some of these are more
windows/AD-centric issues, but given that I use
IPA for syncing from the AD I hope maybe someone
can shed some (more) light on this on this
maillist.... </div>
<div><br>
</div>
<div>thanks,</div>
<div><br>
</div>
<div>//James.</div>
<div class="im">
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div style="">For what it's worth, I just noticed that if I
remove an account on the IPA server, go over to the AD,
change an attribute (such as set it to "disabled"), and
sync again it syncronizes over no problem. If I remove
an account (on IPA) without touching it on the AD, it
won't syncronize however.</div>
</div>
</div>
</div>
</blockquote>
<br>
IPA polls for changes in AD every 5 minutes by default. You can
change the winSyncInterval if you want this to happen more often.
Also, the polling only looks for entries that have changed, which is
why it only syncs from AD to IPA if you change something.<br>
<br>
<blockquote
cite="mid:CAC4BCTWB=ngjneVVnL8qptDbM1WQ65PGe8cqs5akj1AxtS6gLg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div style=""><br>
</div>
<div style="">//J</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div class="im">
<div><br>
</div>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
<br>
<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">All
in all I think the FreeIPA project is
amazing and it really gives us<br>
in the Linux community something we
haven't had before. If I can iron<br>
out the problems above I am sure it will
become a great tool for me and<br>
my client.<br>
</blockquote>
<br>
Glad you like it!<br>
<br>
cheers<br>
<br>
rob<br>
<br>
</div>
<div>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</div>
</blockquote>
<br>
</blockquote>
</div>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>