[Freeipa-users] Uni-directional agreements.
Steven Jones
Steven.Jones at vuw.ac.nz
Mon Mar 12 01:36:55 UTC 2012
Hi,
Reading section 7.2...this looks like a bi-directional agreement.....I want to do a uni-directional agreement, so I want a one way password sync out of AD into IPA and when a new user is created that user get created in IPA and get an IPA UID.
So can I set lower permissions? I would assume so....
"7.2. Setting up Active Directory for Synchronization
Synchronizing user accounts alone is enabled within IPA, so all that is necessary is to set up a sync
agreement (Section 7.3.2, “Creating Synchronization Agreements”). On the Windows server, it is
necessary to create the user that the IPA server will use to connect to the Active Directory domain.
The process for creating a user in Active Directory is covered in the Windows server documentation at
http://technet.microsoft.com/en-us/library/cc732336.aspx. The new user account must have the proper
permissions:
• Grant the sync user account Replicating directory changes rights to the synchronized Active
Directory subtree. Replicator rights are required for the sync user to perform synchronization
operations.
Replicator rights are described in http://support.microsoft.com/kb/303972.
• Add the sync user as a member of the Account Operator and Enterprise Read-Only Domain
controller groups. It is not necessary for the user to belong to the full Domain Admin group."
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
More information about the Freeipa-users
mailing list