[Freeipa-users] syncing users more not limited to a subtree
Rob Crittenden
rcritten at redhat.com
Fri Feb 10 20:10:29 UTC 2012
Rich Megginson wrote:
> On 02/10/2012 11:41 AM, Dmitri Pal wrote:
>> On 02/10/2012 10:28 AM, Rich Megginson wrote:
>>> On 02/10/2012 04:01 AM, David Juran wrote:
>>>> Hello
>>>>
>>>> I wonder if it's somehow possible to sync AD-users more selectively
>>>> then
>>>> just by sub-tree. In my case, I'm dealing with a very large
>>>> organisation
>>>> where the users that are to be synced to IPA aren't grouped by a
>>>> subtree
>>>> in AD but rather spread out. Can this be handled somehow?
>>>>
>>> I don't think so, but can you provide some examples?
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Rich, can one create two different winsync agreements that use different
>> sub trees on the AD side?
> Yes, if they also use two different sub trees on the IPA side.
> Otherwise, you have two different winsync agreements covering the same
> ipa subtree - I have no idea what would happen.
>> If there anything that would prevent it to
>> work? May be it should be done from 2 IPA replicas?
> You might still have problems with that scenario, just delayed. That is,
> the ipa subtree is the same on both replicas, so you still have the same
> problem, just delayed by the speed of replication.
>
> The only way to know for sure would be to get some concrete examples,
> then try it out.
I'll just add that we don't currently support multiple winsync
agreements against the same AD server. I opened a ticket on this yesterday.
rob
More information about the Freeipa-users
mailing list