[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] winsync agreements, mostly one way.



On 09/17/2012 04:55 PM, Steven Jones wrote:
In section 8.4.5 it talks about making an agreement one way...which is mostly what I want, so everything incl password changes from AD to IPA.   except I want account disabled / enabled to flow both ways.

So if I do a

ldapmodify -x -D "cn=directory manager" -w password -p 389 -h
ipaserver.example.com
dn: cn=ipa-winsync,cn=plugins,cn=config
changetype: modify
add: oneWaySync
oneWaySync: fromWindows

Does this effect bi-directional disabling? I assume it does.......

So then I have to do a,

ldapmodify -x -D "cn=directory manager" -w password -p 389 -h
ipaserver.example.com
dn: cn=ipa-winsync,cn=plugins,cn=config
changetype: modify
ipaWinSyncAcctDisable: both

is that syntax right?


Winsyc plugin used in IPA comes originally from DS. In the context of IPA it can be only one way so changing this configuration is not something we expect or would work in IPA. In the DS context you can have two way sync of users and groups.

AFAIK (Rich please correct me) we do not replicate the enabled/disabled status from IPA to AD.
Conceptually we think of the AD as authoritative source for the information. Allowing user to be disabled by IPA admin and then replicate this status back violates this model and would sound really dangerous for AD side. Are you sure that even if that would have been allowed your AD admins would actually permit you to do that?

Anyways so far it is one of the limitations of the current product. You can definitely explain the use case in a bit more details and file an RFE. If the use case is compelling we will consider it for the later release.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272




_______________________________________________
Freeipa-users mailing list
Freeipa-users redhat com
https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]