[Freeipa-users] is it possible to use 'ipa-replica' to syncuserbetween different suffix AD and IPA domain?

Matrix matrix.zj at qq.com
Tue May 3 06:48:46 UTC 2016 

Hi, Petr


all steps listed in section 7.4 of Windows integration guide have been done.


user for sync is 'cn=ipa,cn=users,dc=examplemedia,dc=net'


and l have been verified it with ldapsearch, detail cmd as below:
# ldapsearch -H ldap://ipaad.examplemedia.net -D 'cn=ipa,cn=users,dc=examplemedia,dc=net' -w 'RedHat1!' -b "cn=users,dc=examplemedia,dc=net" -LLL -ZZ


and sync cmd is created by: 


# ipa-replica-manage connect --winsync --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='RedHat1!' --passsync='redhatredhat' --cacert='/etc/openldap/cacerts/ad.cer' --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net


after it has been created, i have also force-sync it. 


# ipa-replica-manage force-sync --from=ipaad.examplemedia.net
Directory Manager password:


ipa: INFO: Setting agreement cn=meToipaad.examplemedia.net,cn=replica,cn=dc\=dev\,dc\=example\,dc\=net,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToipaad.examplemedia.net,cn=replica,cn=dc\=dev\,dc\=example\,dc\=net,cn=mapping tree,cn=config




root at ipaserver:/var/log/dirsrv/slapd-DEV-EXAMPLE-NET · 06:47 AM Tue May 03 ·
!41 # echo $?
0



Nothing error was reported. Any debug info or log i can provide for further analysis? 


Thanks


Matrix




------------------ Original ------------------
From:  "Petr Vobornik";<pvoborni at redhat.com>;
Date:  Mon, May 2, 2016 02:46 AM
To:  "Matrix"<matrix.zj at qq.com>; "freeipa-users"<freeipa-users at redhat.com>; 

Subject:  Re: [Freeipa-users] is it possible to use 'ipa-replica' to syncuserbetween different suffix AD and IPA domain?



On 04/28/2016 05:30 PM, Matrix wrote:
> Hi, Petr
> 
> Thanks for your quickly reply.
> 
> I want to integrated linux servers with existed AD, centralized manage HBAC/Sudo 
> rules.
> 
> So i have setup a standalone IPA server with domain 'example.net', trying to 
> sync users from existed AD to it with following cmd:
> 
> ipa-replica-manage connect --winsync 
> --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='XXXX' 
> --passsync='XXXX' --cacert='/etc/openldap/cacerts/ipaad.cer' 
> --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net
> 
> 
> After it has been successfully established, users in AD did not sync to IPA.

Before we go into debugging, please make sure that you have done the
steps described in section 7.4 of Windows integration guide:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html

> 
> 
> For 'trusts' integration method, since user did not sync to IPA at all, how to 
> set sudo/HBAC rules for users? I have not tried it.
> 
> 
> Matrix
> 
> 
> 
> 
> ------------------ Original ------------------
> *From: * "Petr Vobornik";<pvoborni at redhat.com>;
> *Date: * Thu, Apr 28, 2016 11:21 PM
> *To: * "Matrix"<matrix.zj at qq.com>; "freeipa-users"<freeipa-users at redhat.com>;
> *Subject: * Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync 
> userbetween different suffix AD and IPA domain?
> 
> On 04/28/2016 04:44 PM, Matrix wrote:
>  > Hi, all
>  >
>  > I am trying to do a centrelized solution
>  >
>  > AD domain is 'examplemedia.net'
>  >
>  > IPA domain is 'example.net'
>  >
>  > After ipa-replica has been established, i found that nothing has been synced
>  > from AD to IPA.
>  >
>  > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>  >
>  > I doubt that for different suffix is supported ?  If so, anyone can show some
>  > hint for me to investigate more?
>  >
>  > Thanks for your kindly help.
>  >
>  > Matrix
> 
> Hello,
> 
> what is your goal and current setup?
> 
> By "ipa-replica has been established" do you mean that you installed a
> new currently standalone IPA server? And connected it somehow with AD?
> 
> Or did you run `ipa-replica-manage connect --winsync ...`
> 
> It would be good to mention that IPA server[1] cannot be a replica of an
> AD server. But it can integrate with it. Either by using
> winsync(synchronization) or the recommended solution: Trusts [2].
> 
> Documentation:
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
> [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html
> 
> HTH
> -- 
> Petr Vobornik
> 


-- 
Petr Vobornik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160503/77fd0960/attachment.htm>

More information about the Freeipa-users mailing list