[Freeipa-users] ad relation with winsync
Nicolas Zin
nicolas.zin at savoirfairelinux.com
Thu Feb 12 08:49:34 UTC 2015
> The is is treated as the ultimate source so adds should go only from AD
> to IPA but you need the modify to work both ways otherwise your account
> state will get out of sync.
> Whatever is required by docs is the minimal privilege you need to have
> to sync users.
>
> However did you consider trust?
> It us a two way trust but it acts as a one way trust.
I know, but my customer don't want a two-way trust, whatever it means:
- it fear some security concern with a two-way.
- if he migrates its AD into new version or new topology, he fears to encounter some migration path issue
So it has been decided to go the winsync way.
btw, I manage to make my one way replication working, with less privileges, following http://directory.fedoraproject.org/docs/389ds/howto/howto-windowssync.html#creating-ad-user-with-replication-rights
Thank you
Nicolas
More information about the Freeipa-users
mailing list