[Freeipa-users] syncing users more not limited to a subtree

Rich Megginson rmeggins at redhat.com
Fri Feb 10 18:46:21 UTC 2012


On 02/10/2012 11:41 AM, Dmitri Pal wrote:
> On 02/10/2012 10:28 AM, Rich Megginson wrote:
>> On 02/10/2012 04:01 AM, David Juran wrote:
>>> Hello
>>>
>>> I wonder if it's somehow possible to sync AD-users more selectively then
>>> just by sub-tree. In my case, I'm dealing with a very large organisation
>>> where the users that are to be synced to IPA aren't grouped by a subtree
>>> in AD but rather spread out. Can this be handled somehow?
>>>
>> I don't think so, but can you provide some examples?
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> Rich, can one create two different winsync agreements that use different
> sub trees on the AD side?
Yes, if they also use two different sub trees on the IPA side.  
Otherwise, you have two different winsync agreements covering the same 
ipa subtree - I have no idea what would happen.
> If there anything that would prevent it to
> work? May be it should be done from 2 IPA replicas?
You might still have problems with that scenario, just delayed.  That 
is, the ipa subtree is the same on both replicas, so you still have the 
same problem, just delayed by the speed of replication.

The only way to know for sure would be to get some concrete examples, 
then try it out.




More information about the Freeipa-users mailing list