[Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)

Dmitri Pal dpal at redhat.com
Mon Mar 17 22:12:42 UTC 2014 

On 03/17/2014 06:04 PM, Todd Maugh wrote:
>
> Thanks again Rich is there some good Documentation on setting up the 
> trust?
>

http://www.freeipa.org/page/IPAv3_testing_AD_trust

> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Monday, March 17, 2014 3:03 PM
> *To:* Todd Maugh; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Has one successfully synched the 
> entirety of their AD to IPA (multiple OUs and or Subtrees)
>
> On 03/17/2014 03:52 PM, Todd Maugh wrote:
>
>     Thanks Rich,
>
>     I am able to create a successful winsync agreement from the top
>     level.
>
>     Unfortunately, when I do this. I do not see any of the accounts
>     from the sub trees populate my ipa server.
>
>
> Ok, so it doesn't work.
>
>
>     Is it possible to have all the subtrees (ous) live under
>     cn=users.If I make this change to AD would IPA then sync all the
>     accounts from the subtrees?
>
>
> Yes.
>
>
>     I cant believe I am the first person with this issue or need.
>
>
> You are certainly not - we have a couple of 389 to address this and 
> similar issues with winsync.
>
> https://fedorahosted.org/389/ticket/460
>
> Unfortunately, this fix has been targeted for F20 (389-ds-base-1.3.2), 
> and we don't have plans to backport to EL6.
>
> Note that winsync is always going to be more or less painful - it is 
> not, was never designed to be, and never will be a full blown 
> meta-directory solution.  For more information:
>
> https://fedorahosted.org/389/query?component=Sync+Service&status=accepted&status=assigned&status=new&status=reopened&col=id&col=summary&col=status&col=type&col=priority&col=milestone&col=component&order=priority&report=16 
> <https://fedorahosted.org/389/query?component=Sync+Service&status=accepted&status=assigned&status=new&status=reopened&col=id&col=summary&col=status&col=type&col=priority&col=milestone&col=component&order=priority&report=16>
>
> That's why we recommend that the best long term solution is cross 
> domain trust - that removes winsync from the picture.
>
>
>     Thanks again in advance.
>
>     *From:*Rich Megginson [mailto:rmeggins at redhat.com]
>     *Sent:* Monday, March 17, 2014 2:44 PM
>     *To:* Todd Maugh; freeipa-users at redhat.com
>     <mailto:freeipa-users at redhat.com>
>     *Subject:* Re: [Freeipa-users] Has one successfully synched the
>     entirety of their AD to IPA (multiple OUs and or Subtrees)
>
>     On 03/17/2014 03:33 PM, Todd Maugh wrote:
>
>         I'm trying to sync all of my AD to IPA, I don't need to retain
>         any of the original windows directory structure once in IPA.
>
>         I cannot find where to set ipaWinSyncUserFlatten to true (so
>         I'm assuming it's on true by default)
>
>
>     Yes, it is true by default.
>     dn: cn=ipa-winsync,cn=plugins,cn=config
>
>
>
>         I really need to be able to sync more than just the cn=users
>         subtree
>
>
>     There really isn't explicit support for this.  If it doesn't work
>     to set your AD subtree to your root suffix (e.g.
>     dc=domain,dc=com), then it's simply not going to work until 389
>     adds support for that.
>
>
>
>         And I can find no documentation or help on line.
>
>
>     Because there probably isn't any.
>
>
>
>         Has anyone had any success or practice with this?
>
>
>     See above.
>
>
>         Thanks
>
>         -Todd
>
>         Todd Maugh
>
>         Sr System Engineer
>
>         *Boingo Wireless*
>
>         *tmaugh at boingo.com <mailto:tmaugh at boingo.com>*
>
>
>
>
>
>         _______________________________________________
>
>         Freeipa-users mailing list
>
>         Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>
>         https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140317/51a1f97c/attachment.htm>

More information about the Freeipa-users mailing list