[Freeipa-users] EXTERNAL: Re: OneWaySync Issues

Joseph, Matthew (EXP) matthew.joseph at lmco.com
Wed Jan 23 15:16:41 UTC 2013 

Hey,

So if I remove the IPA Password Sync user from the Account Operators then delete a user from IPA it won't replicate to Active Directory.
When I create a user on the Active Directory side it will replicate it to IPA.

So I started testing out the password sync to see if that will work but I am not having any luck with it (even when our password sync user on the windows side is added to Account Operators).

I think I know the issue but I am having trouble finding out the back end of the IPA Directory structure.

In the /var/log/dirsrv/slapd****/errors file the last few lines say the follow.

Ipalockout_preop - [file ipa_lockout.c, line 527] Failed to retrieve entry "uid=passsyncuser,cn=sysaccounts,cn=etc,dc=ad,dc=ca" : 32


>From looking at that I assume the passsync user I created on the IPA side does not live under the sysaccounts CN.
So I guess what I'm looking for is the backend structure of how the users are setup.
Does his entry in the backend of IPA actually look like this;

uid=passsyncuser,cn=users,dc=ipadomain,dc=ca


Thanks,

Matt


-----Original Message-----
From: Rich Megginson [mailto:rmeggins at redhat.com] 
Sent: Tuesday, January 22, 2013 3:04 PM
To: Rob Crittenden
Cc: Joseph, Matthew (EXP); freeipa-users at redhat.com
Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues

On 01/22/2013 11:46 AM, Rob Crittenden wrote:
> Joseph, Matthew (EXP) wrote:
>> Hello,
>>
>> I'm trying to configure the oneWaySync option for IPA so only the
>> Windows AD can replicate changes to IPA.
>>
>> When I use the command that I listed below it says it works but when I
>> delete a user form IPA it will then delete the user in Active Directory.
>>
>> Is my command listed below correct? Anyone able to help?
>>
>> Parameters:
>> Server = rhserver
>> Domain = redhat.ca
>> Password = 12345678
>>
>> Contents of /tmp/unisync;
>> dn: cn=ipa-winsync,cn=plugins,cn=config
>> changetype: modify
>> replace: oneWaySync
>> oneWaySync: From Windows
>>
>> So I enter the following command;
>> *ldapmodify -x -D "dc=redhat,dc=ca" -w 12345678 -h rhserver.redhat.ca -f
>> /tmp/unisync*
>
> There should be no space in oneWaySync, it should be fromWindows.
I thought the oneWaySync attribute was in the replication/sync agreement 
entry, not in the ipa-winsync plugin config entry?
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list