[Freeipa-users] Active Directory integration

[Rob Crittenden]

John B. Adams wrote:
> After having some trouble getting free-ipa installed (I hope to document where we got stuck) I can at long last see the existing interface.

Sure, the feedback would be good.

> 
> All I want is one place to keep users and group data for a mixed network with three different active directory instances and
> an increasing number of fedora workstations.
> 
> I need to find out how the active directory two way sync works, and can I sync with the three active directories separately,
> with separate users in each AD, and use Freeipa as the overall main directory server.
> 
> Where would this be documented, do I need to look at it as if its was FDS and find the docs there.
> 
> Or if anyoune could give me a rough outline of the ways that would be good.
> 
> Thanks for the help so far.

We are in the process of updating our documentation now. We are going to 
drop the wiki-based documentation and replace it with plain HTML files. 
This is so we can keep our documentation under better revision control 
and focus on content and not so much on layout.

This revision will include the AD sync docs you are looking for. We hope 
to have this done by the end of the week.

So you want IPA to be essentially the union of all the AD accounts? I 
think that if you never have a user in more than one AD this may work. 
The way the IPA sync works is it only syncs users with a remote AD where 
the remote samAccountName attribute matches the IPA uid. So if your 
users are unique you should never have users from one AD appearing on 
another.

rob