[Freeipa-users] Questions about AD Synchronization

Rob Crittenden rcritten at redhat.com
Sun Feb 12 23:01:45 UTC 2012 

Dmitri Pal wrote:
> On 02/12/2012 03:49 PM, Marco Pizzoli wrote:
>> Hi guys,
>> a couple of questions about AD synchronization.
>>
>> I read in the guide these points:
>> - A synchronization operation runs every five minutes. --> I read that
>> it can be triggered on demand, but is it possibile to change the value
>> of this frequency?
>
> I think it is configurable. You might want to check port389 wiki for
> more details.

I seem to recall it is hardcoded and an RFE was opened on it but I can't 
find it out.

winsync uses a pull model so the only immediate mode may be from IPA to AD.

>> - Synchronization can only be configured with one Active Directory
>> domain. Multiple domains are not supported. --> Do they will in a
>> future version?
>
> No plans as we are working on trusts and trusts would make
> synchronization not needed.

Currently only one winsync agreement is allowed on one IPA server to an 
AD server at a time (there is a ticket to allow multiples 
https://fedorahosted.org/freeipa/ticket/2358)

It would probably work to have two AD agreements on two separate IPA 
instances though. We don't care what realm the remote AD server are.

>> - While modifications are bi-directional (going both from Active
>> Directory to FreeIPA and from FreeIPA to Active Directory), new
>> accounts are only uni-directional. New accounts created in Active
>> Directory are synchronized over to FreeIPA. However, user accounts
>> created in FreeIPA must also be added in Active Directory before they
>> will be synchronized.
>> ---> What is the origin of this restriction? I mean, why cannot be
>> created a user in AD by FreeIPA?
>>
>
> Time and materials mostly - the support cost is origin of this
> restriction. It is potentially could be done and DS does this but the
> use case for IPA is different and dominated by AD so it does not make
> sense to build a solution when in 95 persent the sync would go from AD
> to IPA as people already have users there.
>
>>
>> And another question, not related to the synchronization:
>> - In the FreeIPA 389-ds I see used the "DUA Config Profile"
>> objectClass. To learn what it is I already read RFC#4876. Now I would
>> like to have a look at a document/draft/etc.. about his using within
>> FreeIPA. Is it available anywhere? If no, could someone give some
>> explanation?
>>

A DUA profile is created and is currently used by Solaris clients that 
can join using the ldapinit tool. I believe that HP/ux can also use this 
profile. This entry looks like:

dn: cn=default,ou=profile,dc=example,dc=com
defaultServerList: rawhide.example.com
defaultSearchBase: dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
searchTimeLimit: 15
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
bindTimeLimit: 5
authenticationMethod: none
cn: default

rob

More information about the Freeipa-users mailing list