[Freeipa-users] ad relation with winsync
Alexander Bokovoy
abokovoy at redhat.com
Thu Feb 12 08:57:07 UTC 2015
On Thu, 12 Feb 2015, Nicolas Zin wrote:
>
>
>
>> The is is treated as the ultimate source so adds should go only from AD
>> to IPA but you need the modify to work both ways otherwise your account
>> state will get out of sync.
>> Whatever is required by docs is the minimal privilege you need to have
>> to sync users.
>>
>> However did you consider trust?
>> It us a two way trust but it acts as a one way trust.
>
>I know, but my customer don't want a two-way trust, whatever it means:
>- it fear some security concern with a two-way.
We've been through this multiple times, check freeipa-users@ archives
for arguments for and against.
>- if he migrates its AD into new version or new topology, he fears to encounter some migration path issue
Cross-forest trust is the standard feature of AD, we foresee no
migration path issues and it works with everything from Windows Server
2003 to Windows Server 2012R2 (though Red Hat only supports cross-forest trust
starting with Windows Server 2008 onwards but this is mostly because
2003 is already out of support by Microsoft).
>So it has been decided to go the winsync way.
>
>btw, I manage to make my one way replication working, with less
>privileges, following
>http://directory.fedoraproject.org/docs/389ds/howto/howto-windowssync.html#creating-ad-user-with-replication-rights
>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list