[Freeipa-users] winsync agreements, mostly one way.
Rich Megginson
rmeggins at redhat.com
Mon Sep 17 21:43:39 UTC 2012
On 09/17/2012 03:34 PM, Steven Jones wrote:
> Hi,
>
> Im confused as section 8.4.5 page 182 first para....
>
> of the Red Hat admin guide for IPA says this (its
> bi-directional).....so that section needs updating?
In IPA, adding users is uni-directional, from AD to IPA. However, once
the users are in sync, updates are bi-directional. This includes
account disable, which syncs both directions.
>
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------
> *From:* freeipa-users-bounces at redhat.com
> [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal
> [dpal at redhat.com]
> *Sent:* Tuesday, 18 September 2012 9:22 a.m.
> *To:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] winsync agreements, mostly one way.
>
> On 09/17/2012 04:55 PM, Steven Jones wrote:
>> In section 8.4.5 it talks about making an agreement one way...which
>> is mostly what I want, so everything incl password changes from AD to
>> IPA. except I want account disabled / enabled to flow both ways.
>>
>> So if I do a
>>
>> ldapmodify -x -D "cn=directory manager" -w password -p 389 -h
>> ipaserver.example.com
>> dn: cn=ipa-winsync,cn=plugins,cn=config
>> changetype: modify
>> add: oneWaySync
>> oneWaySync: fromWindows
>>
>> Does this effect bi-directional disabling? I assume it does.......
>>
>> So then I have to do a,
>>
>> ldapmodify -x -D "cn=directory manager" -w password -p 389 -h
>> ipaserver.example.com
>> dn: cn=ipa-winsync,cn=plugins,cn=config
>> changetype: modify
>> ipaWinSyncAcctDisable: both
>>
>> is that syntax right?
>>
>
> Winsyc plugin used in IPA comes originally from DS. In the context of
> IPA it can be only one way so changing this configuration is not
> something we expect or would work in IPA. In the DS context you can
> have two way sync of users and groups.
>
> AFAIK (Rich please correct me) we do not replicate the
> enabled/disabled status from IPA to AD.
> Conceptually we think of the AD as authoritative source for the
> information. Allowing user to be disabled by IPA admin and then
> replicate this status back violates this model and would sound really
> dangerous for AD side. Are you sure that even if that would have been
> allowed your AD admins would actually permit you to do that?
>
> Anyways so far it is one of the limitations of the current product.
> You can definitely explain the use case in a bit more details and file
> an RFE. If the use case is compelling we will consider it for the
> later release.
>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120917/9e89b3b9/attachment.htm>
More information about the Freeipa-users
mailing list