<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/17/2014 08:38 PM, Will Last
wrote:<br>
</div>
<blockquote
cite="mid:CAH3bH5bGFS=yoioD2s-+by2ueHCu8U285=zrTZdEJpj2RyCi4Q@mail.gmail.com"
type="cite">
<div dir="ltr">Many thanks, Bob, for letting me know that I missed
the important point as designed, and for giving me the
confidence that my setup is correct after scratching my head for
two weeks:-D.
<div><br>
</div>
<div>So, is there any solution for my case, i.e., *using an
already setup freeipa as the primary service, and AD as the
secondary (only for those dependent on AD)*, in addition to
Petr's suggestion to setup freeipa-AD trust? I prefer to
maintain user info in freeipa and let AD sync from freeipa.
But unfortunately, this is not designed to be so. Did anyone
try the idea of export users from freeipa and then import into
AD, since they both use LDAP? At least for the initial
pseudo/manual sync. It would be great to share your experience
with us.</div>
<div><br>
</div>
</div>
</blockquote>
<br>
<br>
We are aware of this use case. It is still quite a rare one so we
have not addressed it as there are more pressing configurations that
are more common.<br>
Generally our recommendation in this case will be to rely on the
2-way trusts but it is not implemented yet.<br>
<br>
The export import part will work except passwords. Password hashes
are different in AD than in IPA (and standard Kerberos/LDAP) so you
can sync users but not passwords. <br>
The best option is for you to explore the 389 DS sync setup and try
to apply it to IPA. But there will be dragons and it might require
some development to make plugins work in the right way. IPA has a
plugin to the base DS plugin so it might require some adjustment if
you want to make two way sync work.<br>
Here is the starting point.<br>
<a class="moz-txt-link-freetext" href="http://port389.org/wiki/Howto:WindowsSync">http://port389.org/wiki/Howto:WindowsSync</a><br>
<br>
Thanks<br>
Dmitri<br>
<br>
<blockquote
cite="mid:CAH3bH5bGFS=yoioD2s-+by2ueHCu8U285=zrTZdEJpj2RyCi4Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Thanks!</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Apr 17, 2014 at 10:16 PM, Rob
Crittenden <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Will Last
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">
Hi,<br>
<br>
I have got a freeipa server (pa-server-3.0.0-37) running
on centos 6.5<br>
and am trying to set up sync with/to AD on win 2008/R2,
basically<br>
following<br>
<a moz-do-not-send="true"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory.html"
target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory.html</a>.<br>
The sync agreement is bi-directional by default. But
only AD users are<br>
sync'ed to freeipa and none of the users on freeipa is
sync'ed to ad,<br>
which is what I really cared for. Even a
re-initialization from AD won't<br>
help (ipa-replica-manage re-initialize --from <a
moz-do-not-send="true" href="http://ad.example.com"
target="_blank">ad.example.com</a><br>
</div>
<<a moz-do-not-send="true" href="http://ad.example.com"
target="_blank">http://ad.example.com</a>> ). I have
turned debugging on
<div class=""><br>
(nsslapd-errorlog-level to 8192), but did not see any
obvious clue.<br>
<br>
Thanks in advance for any help!<br>
</div>
</blockquote>
<br>
This is working as designed. IPA-only users are not synced
to AD. The bidirectional part is that changes to an AD user
synced to IPA on the IPA side will be synced back to AD.<span
class="HOEnZb"><font color="#888888"><br>
<br>
rob<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>