[Freeipa-users] Syncing with AD
James A
james at atia.se
Wed May 15 07:31:03 UTC 2013
On Wed, May 15, 2013 at 9:02 AM, James A <james at atia.se> wrote:
>
>
>
> On Tue, May 14, 2013 at 5:07 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>> On 05/14/2013 07:57 AM, Rob Crittenden wrote:
>>
>>> James A wrote:
>>>
>>>> Hello all,
>>>>
>>>> I have been playing with trying to set up synchronization between
>>>> windows AD --> IPA following the instructions at
>>>> https://access.redhat.com/**site/documentation/en-US/Red_**
>>>> Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**index.html<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html>
>>>>
>>>> A few questions arise;
>>>>
>>>> 1.) The documentation (specifically on
>>>> https://access.redhat.com/**site/documentation/en-US/Red_**
>>>> Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**
>>>> managing-sync-agmt.html<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html>),
>>>>
>>>> (under table 9.2) talks about options to the "ipa-replica-manage
>>>> connect" command. Among others, --bindpw and --passsync. With --binddn
>>>> we specify the "full user DN of the synchronization identity" (and it's
>>>> password with --bindpw ... but I fail to understand which users password
>>>> should be used for "--passsync"?? Is it the same user?
>>>>
>>>
>>> No, a special IPA system account user is needed so the PassSync service
>>> running in AD can bind to the IPA LDAP server to make password changes.
>>> This entry needs to be created in IPA regardless of whether you are using
>>> the PassSync service or not.
>>>
>>> So binddn/bindpw is for the AD user we use to bind from IPA to AD, and
>>> passsync is the password set on the IPA passsync account.
>>>
>>> 2.) The documentation says that the "synchronization identity" (see also
>>>> above) must exist in the AD domain and "must have replicator, read,
>>>> search and write permissions on the AD subtree. What I am trying to do
>>>> is create a one way sync from AD --> IPA and I would really like to
>>>> avoid using a user (for synching) that has write permissions (in the
>>>> AD). All my tries in setting up synchronization fails unless I add the
>>>> synch-user to the group "Administrators". I have tried (and failed)
>>>> using "account admins" etc. Any pointers here would be great. Sorry
>>>> for my ignorance when it comes to Windows. I am sure I am missing
>>>> something obvious.
>>>>
>>>> 3.) I follow the instructions under "9.4.5"
>>>> (https://access.redhat.com/**site/documentation/en-US/Red_**
>>>> Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**
>>>> managing-sync-agmt.html#**unidirectional-sync<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync>)
>>>>
>>>> to setup Uni-directional sync. (only AD --> IPA), and yet, when I go to
>>>> remove an account in IPA it gets removed also in the AD. (This I really
>>>> want to avoid, thus the need for a read-only user to do the
>>>> synchronization - see question 2).
>>>>
>>>
>>> I'm not really sure about #2 or #3. Hopefully one of the 389-ds devs
>>> will chime in with some suggestions.
>>>
>>
>> Write access is not required if you are only doing one way sync.
>> Here is the information about adding the specific rights to the windows
>> sync user
>> http://port389.org/wiki/Howto:**WindowsSync#Creating_AD_User_**
>> with_Replication_Rights<http://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights>
>
>
> BINGO :) Thank you! Now I am very close!
>
> The instructions read "In the 'Permissions for Windows Sync' list, make
> sure Read is checked under the Allow column". This I don't have (I can't
> find this setting where the instructions say it should be).... I do have
> "replicate directory changes", "replicating directory changes all",
> "replication synchronization" and "monitor active directory replication".
> When I set "Replication Synchronization" and "Replicate Directory Changes"
> permissions on the user, I can sync new accounts using this useraccount.
>
> But...
>
> When I delete a user on the IPA server, then sync again the user doesn't
> show up in IPA.
> The good news is that the user doesn't get deleted in the AD, but I can't
> sync it back to the IPA.
>
> If I create a new user in the AD it gets synced ok. (to IPA).
>
>
>
> I realize some of these are more windows/AD-centric issues, but given that
> I use IPA for syncing from the AD I hope maybe someone can shed some (more)
> light on this on this maillist....
>
> thanks,
>
> //James.
>
>
>
For what it's worth, I just noticed that if I remove an account on the IPA
server, go over to the AD, change an attribute (such as set it to
"disabled"), and sync again it syncronizes over no problem. If I remove
an account (on IPA) without touching it on the AD, it won't syncronize
however.
//J
>
>
>
>
>>
>>
>>
>>>
>>> All in all I think the FreeIPA project is amazing and it really gives us
>>>> in the Linux community something we haven't had before. If I can iron
>>>> out the problems above I am sure it will become a great tool for me and
>>>> my client.
>>>>
>>>
>>> Glad you like it!
>>>
>>> cheers
>>>
>>> rob
>>>
>>> ______________________________**_________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130515/90e983cd/attachment.htm>
More information about the Freeipa-users
mailing list