[Freeipa-users] a couple of questions regarding windows password sync agreements ....

Rich Megginson rmeggins at redhat.com
Wed Sep 23 20:27:39 UTC 2009 

Kambiz Aghaiepour wrote:
> I've established a windows sync agreement on my IPA master server using:
>
> ipa-replica-manage add --winsync --win-subtree='cn=users,dc=mcnc,dc=org'
> --binddn cn=someusergoeshere,cn=users,dc=mcnc,dc=org --bindpw
> nottherealpassword --cacert /root/my.cert --passsync=someotherpass
> myadserver.mcnc.org -v
>
>
> Everything seems fine so far, but I have a few questions about the setup.
>   
This should answer most of the questions below
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html

The main differences are that in IPA
* IPA will only sync user data - not groups
* IPA will not send new users to AD - the users must also be added to 
AD, at which point changes to that user will be sync'd between IPA and AD
** The sync key is the uid, which must be the same as the samAccountName 
on the AD side
* IPA will sync new users added to AD - IPA will change the DN and schema
** IPA will flatten the DN, removing any ou RDNs, and (optionally) store 
these in the ou attribute in the user entry
* IPA will be able to force all users to be in sync with the AD 
counterpart (IPA uid == AD samAccountName)
** forceSync option

> 1) it appear that users on the AD side that did not exist already on IPA
> get created upon the initial full sync.  Is there anyway to turn off
> this behavior?
>
> 2) Also, new users that are created in AD are created in IPA. Can this
> behavior be turned off (I think this is the same setting as #1).
>
> 3) Will new users that are created in IPA be created in AD?
>   
No - see above
> 4) When a user previously created in AD be automatically deleted from
> IPA when the user is deleted from AD?
>   
yes
> 5) Will the user be deleted from AD if the users entry is deleted in IPA?
>
> 6) what does ntUserDeleteAccount: true   do?
>
> Thanks
> Kambiz
>
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090923/a7497575/attachment.bin>

More information about the Freeipa-users mailing list