Hey, So if I remove the IPA Password Sync user from the Account Operators then delete a user from IPA it won't replicate to Active Directory. When I create a user on the Active Directory side it will replicate it to IPA.
So I started testing out the password sync to see if that will work but I am not having any luck with it (even when our password sync user on the windows side is added to Account Operators). I think I know the issue but I am having trouble finding out the back end of the IPA Directory structure. In the /var/log/dirsrv/slapd****/errors file the last few lines say the follow. Ipalockout_preop - [file ipa_lockout.c, line 527] Failed to retrieve entry "uid=passsyncuser,cn=sysaccounts,cn=etc,dc=ad,dc=ca" : 32 >From looking at that I assume the passsync user I created on the IPA side does >not live under the sysaccounts CN. So I guess what I'm looking for is the backend structure of how the users are setup. Does his entry in the backend of IPA actually look like this; uid=passsyncuser,cn=users,dc=ipadomain,dc=ca Thanks, Matt -----Original Message----- From: Rich Megginson [mailto:[email protected]] Sent: Tuesday, January 22, 2013 3:04 PM To: Rob Crittenden Cc: Joseph, Matthew (EXP); [email protected] Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues On 01/22/2013 11:46 AM, Rob Crittenden wrote: > Joseph, Matthew (EXP) wrote: >> Hello, >> >> I'm trying to configure the oneWaySync option for IPA so only the >> Windows AD can replicate changes to IPA. >> >> When I use the command that I listed below it says it works but when I >> delete a user form IPA it will then delete the user in Active Directory. >> >> Is my command listed below correct? Anyone able to help? >> >> Parameters: >> Server = rhserver >> Domain = redhat.ca >> Password = 12345678 >> >> Contents of /tmp/unisync; >> dn: cn=ipa-winsync,cn=plugins,cn=config >> changetype: modify >> replace: oneWaySync >> oneWaySync: From Windows >> >> So I enter the following command; >> *ldapmodify -x -D "dc=redhat,dc=ca" -w 12345678 -h rhserver.redhat.ca -f >> /tmp/unisync* > > There should be no space in oneWaySync, it should be fromWindows. I thought the oneWaySync attribute was in the replication/sync agreement entry, not in the ipa-winsync plugin config entry? > > rob > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
