[Freeipa-users] Questions about AD Synchronization
Rich Megginson
rmeggins at redhat.com
Mon Feb 13 15:40:54 UTC 2012
On 02/12/2012 04:01 PM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> On 02/12/2012 03:49 PM, Marco Pizzoli wrote:
>>> Hi guys,
>>> a couple of questions about AD synchronization.
>>>
>>> I read in the guide these points:
>>> - A synchronization operation runs every five minutes. --> I read that
>>> it can be triggered on demand, but is it possibile to change the value
>>> of this frequency?
>>
>> I think it is configurable. You might want to check port389 wiki for
>> more details.
>
> I seem to recall it is hardcoded and an RFE was opened on it but I
> can't find it out.
>
> winsync uses a pull model so the only immediate mode may be from IPA
> to AD.
The attribute is called "winSyncInterval" - by default the value is 300
seconds. See
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Modifying_the_Sync_Agreement.html#syncagmt-cmd
>
>>> - Synchronization can only be configured with one Active Directory
>>> domain. Multiple domains are not supported. --> Do they will in a
>>> future version?
>>
>> No plans as we are working on trusts and trusts would make
>> synchronization not needed.
>
> Currently only one winsync agreement is allowed on one IPA server to
> an AD server at a time (there is a ticket to allow multiples
> https://fedorahosted.org/freeipa/ticket/2358)
>
> It would probably work to have two AD agreements on two separate IPA
> instances though. We don't care what realm the remote AD server are.
>
>>> - While modifications are bi-directional (going both from Active
>>> Directory to FreeIPA and from FreeIPA to Active Directory), new
>>> accounts are only uni-directional. New accounts created in Active
>>> Directory are synchronized over to FreeIPA. However, user accounts
>>> created in FreeIPA must also be added in Active Directory before they
>>> will be synchronized.
>>> ---> What is the origin of this restriction? I mean, why cannot be
>>> created a user in AD by FreeIPA?
>>>
>>
>> Time and materials mostly - the support cost is origin of this
>> restriction. It is potentially could be done and DS does this but the
>> use case for IPA is different and dominated by AD so it does not make
>> sense to build a solution when in 95 persent the sync would go from AD
>> to IPA as people already have users there.
>>
>>>
>>> And another question, not related to the synchronization:
>>> - In the FreeIPA 389-ds I see used the "DUA Config Profile"
>>> objectClass. To learn what it is I already read RFC#4876. Now I would
>>> like to have a look at a document/draft/etc.. about his using within
>>> FreeIPA. Is it available anywhere? If no, could someone give some
>>> explanation?
>>>
>
> A DUA profile is created and is currently used by Solaris clients that
> can join using the ldapinit tool. I believe that HP/ux can also use
> this profile. This entry looks like:
>
> dn: cn=default,ou=profile,dc=example,dc=com
> defaultServerList: rawhide.example.com
> defaultSearchBase: dc=example,dc=com
> objectClass: top
> objectClass: DUAConfigProfile
> serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
> serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
> searchTimeLimit: 15
> followReferrals: TRUE
> objectclassMap: shadow:shadowAccount=posixAccount
> bindTimeLimit: 5
> authenticationMethod: none
> cn: default
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list