[Freeipa-users] Sync from AD towards FreeIPA directory server
Rich Megginson
rmeggins at redhat.com
Tue Nov 4 16:11:00 UTC 2014
On 11/04/2014 04:18 PM, Edouard Guigné wrote:
> Hello FreeIPA Users,
>
> I am trying to make working a sync between my AD win 2008 R2 and
> FreeIPA (fedora 20) server.
> My goal is to retrieve all my AD users in freeIPA database.
>
> 1. With "ipa-replica-manage connect --winsync ...", I succeeded to
> copy users from AD to FreeIPA (via the sync agreement)
> But passwords have not been sync. I had to reinit password in IPA to
> enable user login in the freeipa domain.
> Is it a normal issue ? Is there any way to sync password ?
I think this is a normal issue when using the PassSync.msi on AD and
winsync (as opposed to trusts or another mechanism).
>
> 2. I tried then to sync posix attributes (from my AD which has
> "Subsystem for UNIX-based Applications") into the freeIPA server with
> activating the posix winsync plugin
> I would like to extract attributes from my AD like :
> - uidNumber
> - gidNumber
> - unixHomeDirectory
> - loginShell
> - msSFU30NisDomain
>
> With posix winsync activated, the sync do not work at all... no AD
> users sync.
> What is missing to enable it ? I follow the documentation here
> http://www.port389.org/docs/389ds/design/winsync-posix.html
>
> And enable the plugin this way :
> ldapmodify -D "cn=directory manager" -w xxxxx
> dn: cn=Posix Winsync API,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
Hmm - it should work.
What version of 389 are you using?
rpm -q 389-ds-base
I suggest trying it again and turning on the replication logging level -
http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting - and see
if there are any clues in the errors log.
>
> Ed
>
>
More information about the Freeipa-users
mailing list