[Freeipa-users] is it possible to use 'ipa-replica' to sync userbetween different suffix AD and IPA domain?

Petr Vobornik pvoborni at redhat.com
Sun May 1 18:46:02 UTC 2016 

On 04/28/2016 05:30 PM, Matrix wrote:
> Hi, Petr
> 
> Thanks for your quickly reply.
> 
> I want to integrated linux servers with existed AD, centralized manage HBAC/Sudo 
> rules.
> 
> So i have setup a standalone IPA server with domain 'example.net', trying to 
> sync users from existed AD to it with following cmd:
> 
> ipa-replica-manage connect --winsync 
> --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='XXXX' 
> --passsync='XXXX' --cacert='/etc/openldap/cacerts/ipaad.cer' 
> --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net
> 
> 
> After it has been successfully established, users in AD did not sync to IPA.

Before we go into debugging, please make sure that you have done the
steps described in section 7.4 of Windows integration guide:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html

> 
> 
> For 'trusts' integration method, since user did not sync to IPA at all, how to 
> set sudo/HBAC rules for users? I have not tried it.
> 
> 
> Matrix
> 
> 
> 
> 
> ------------------ Original ------------------
> *From: * "Petr Vobornik";<pvoborni at redhat.com>;
> *Date: * Thu, Apr 28, 2016 11:21 PM
> *To: * "Matrix"<matrix.zj at qq.com>; "freeipa-users"<freeipa-users at redhat.com>;
> *Subject: * Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync 
> userbetween different suffix AD and IPA domain?
> 
> On 04/28/2016 04:44 PM, Matrix wrote:
>  > Hi, all
>  >
>  > I am trying to do a centrelized solution
>  >
>  > AD domain is 'examplemedia.net'
>  >
>  > IPA domain is 'example.net'
>  >
>  > After ipa-replica has been established, i found that nothing has been synced
>  > from AD to IPA.
>  >
>  > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>  >
>  > I doubt that for different suffix is supported ?  If so, anyone can show some
>  > hint for me to investigate more?
>  >
>  > Thanks for your kindly help.
>  >
>  > Matrix
> 
> Hello,
> 
> what is your goal and current setup?
> 
> By "ipa-replica has been established" do you mean that you installed a
> new currently standalone IPA server? And connected it somehow with AD?
> 
> Or did you run `ipa-replica-manage connect --winsync ...`
> 
> It would be good to mention that IPA server[1] cannot be a replica of an
> AD server. But it can integrate with it. Either by using
> winsync(synchronization) or the recommended solution: Trusts [2].
> 
> Documentation:
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
> [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html
> 
> HTH
> -- 
> Petr Vobornik
> 


-- 
Petr Vobornik

More information about the Freeipa-users mailing list