[Freeipa-users] Extra attributes for sync agreement AD to FreeIPA

Dmitri Pal dpal at redhat.com
Fri Oct 31 18:24:19 UTC 2014

On 10/31/2014 11:49 AM, Rob Crittenden wrote:
> Edouard Guigné wrote:
>> Hello Rob,
>> Thank you for your answer.
>> Do you mean it should already work ?
>> Or I have to do this on the FreeIPA server :
>> |rm /etc/dirsrv/slapd-INSTNAME/schema/10rfc2307.ldif
>> cp /usr/share/dirsrv/data/10rfc2307bis.ldif /etc/dirsrv/slapd-INSTNAME/schema
> Sorry, I guess I was a little terse.
> The nisDomain is already defined for IPA so you can skip that bit.
> The Posix Winsync Plugin is disabled by default. You'll need to enable
> it and configure it to match your environment. See the wiki page for
> configuration details.
> You can either enable and configure it online by using ldapmodify and
> binding as the Directory Manager or by shutting down 389-ds and
> modifying dse.ldif, then restarting it (or use a tool like Apache
> Directory Studio).
> rob
>> |
>> Best Regards, have a nice we.
>> Ed
>> Le 31/10/2014 16:04, Rob Crittenden a écrit :
>>> Edouard Guigné wrote:
>>>> Hello freeipa Users,
>>>> I am working on a sync agreement between AD server -> FreeIPA server
>>>> (fedora 20)
>>>> I follow the documentation, my sync works beetwen AD -> FreeIPA with
>>>> "ipa-replica-manage connect --winsync ..."
>>>> However, I would like to extract attributes from my AD like :
>>>> - uidNumber
>>>> - gidNumber
>>>> - unixHomeDirectory
>>>> - loginShell
>>>> - msSFU30NisDomain
>>>> My AD server is 2008 R2 with with Subsystem for UNIX-based Applications.
>>>> I would like rerieve these attributes in my freeipa server after sync.
>>>> I had a look on google, and find informations like this :
>>>> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-sync-agmt.html#tab.sync-agmt-attrs
>>>> But I did not succeed with it.
>>>> May someone help me ?
>>> It should already work:
>>> http://www.port389.org/docs/389ds/design/winsync-posix.html
>>> rob
I just want to mention that this is not a recommended approach.
While the plugin exists in DS it is not enabled or supported for IPA.
The supported way to deal with POSIX attribute in AD is to use trust 
with AD rather than sync.
Is this a one time move of the accounts from AD to IPA and you plan to 
turn the plugin off after initial sync?
If not it will be a configuration we would recommend.
If you just want to copy attributes using ipa migrate-ds or dumping 
accounts into LDIF and then loading LDIF would be a better option.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list