[Freeipa-users] nothing sync'ed to AD

Dmitri Pal dpal at redhat.com
Sat Apr 19 16:29:51 UTC 2014 

On 04/17/2014 08:38 PM, Will Last wrote:
> Many thanks, Bob, for letting me know that I missed the important 
> point as designed, and for giving me the confidence that my setup is 
> correct after scratching my head for two weeks:-D.
>
> So, is there any solution for my case, i.e., *using an already setup 
> freeipa as the primary service, and AD as the secondary (only for 
> those dependent on AD)*,  in addition to Petr's suggestion to setup 
> freeipa-AD trust? I prefer to maintain user info in freeipa and let AD 
> sync from freeipa. But unfortunately, this is not designed to be so. 
> Did anyone try the idea of export users from freeipa and then import 
> into AD, since they both use LDAP? At least for the initial 
> pseudo/manual sync. It would be great to share your experience with us.
>


We are aware of this use case. It is still quite a rare one so we have 
not addressed it as there are more pressing configurations that are more 
common.
Generally our recommendation in this case will be to rely on the 2-way 
trusts but it is not implemented yet.

The export import part will work except passwords. Password hashes are 
different in AD than in IPA (and standard Kerberos/LDAP) so you can sync 
users but not passwords.
The best option is for you to explore the 389 DS sync setup and try to 
apply it to IPA. But there will be dragons and it might require some 
development to make plugins work in the right way. IPA has a plugin to 
the base DS plugin so it might require some adjustment if you want to 
make two way sync work.
Here is the starting point.
http://port389.org/wiki/Howto:WindowsSync

Thanks
Dmitri

> Thanks!
>
>
> On Thu, Apr 17, 2014 at 10:16 PM, Rob Crittenden <rcritten at redhat.com 
> <mailto:rcritten at redhat.com>> wrote:
>
>     Will Last wrote:
>
>         Hi,
>
>         I have got a freeipa server (pa-server-3.0.0-37) running on
>         centos 6.5
>         and am trying to set up sync with/to AD on win 2008/R2, basically
>         following
>         https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory.html.
>         The sync agreement is bi-directional by default. But only AD
>         users are
>         sync'ed to freeipa and none of the users on freeipa is sync'ed
>         to ad,
>         which is what I really cared for. Even a re-initialization
>         from AD won't
>         help (ipa-replica-manage re-initialize --from ad.example.com
>         <http://ad.example.com>
>         <http://ad.example.com> ). I have turned debugging on
>
>         (nsslapd-errorlog-level to 8192), but did not see any obvious
>         clue.
>
>         Thanks in advance for any help!
>
>
>     This is working as designed. IPA-only users are not synced to AD.
>     The bidirectional part is that changes to an AD user synced to IPA
>     on the IPA side will be synced back to AD.
>
>     rob
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140419/87f022cd/attachment.htm>

More information about the Freeipa-users mailing list