Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)

Mon, 17 Mar 2014 15:06:12 -0700 

On 03/17/2014 03:52 PM, Todd Maugh wrote:


Thanks Rich,

I am able to create a successful winsync agreement from the top level.


Unfortunately, when I do this. I do not see any of the accounts from 
the sub trees populate my ipa server.




Ok, so it doesn't work.


Is it possible to have all the subtrees (ous) live under cn=users.If I 
make this change to AD would IPA then sync all the accounts from the 
subtrees?




Yes.


I cant believe I am the first person with this issue or need.




You are certainly not - we have a couple of 389 to address this and 
similar issues with winsync.


https://fedorahosted.org/389/ticket/460


Unfortunately, this fix has been targeted for F20 (389-ds-base-1.3.2), 
and we don't have plans to backport to EL6.



Note that winsync is always going to be more or less painful - it is 
not, was never designed to be, and never will be a full blown 
meta-directory solution.  For more information:


https://fedorahosted.org/389/query?component=Sync+Service&status=accepted&status=assigned&status=new&status=reopened&col=id&col=summary&col=status&col=type&col=priority&col=milestone&col=component&order=priority&report=16


That's why we recommend that the best long term solution is cross domain 
trust - that removes winsync from the picture.



Thanks again in advance.

*From:*Rich Megginson [mailto:[email protected]]
*Sent:* Monday, March 17, 2014 2:44 PM
*To:* Todd Maugh; [email protected]

*Subject:* Re: [Freeipa-users] Has one successfully synched the 
entirety of their AD to IPA (multiple OUs and or Subtrees)


On 03/17/2014 03:33 PM, Todd Maugh wrote:

    I'm trying to sync all of my AD to IPA, I don't need to retain any
    of the original windows directory structure once in IPA.

    I cannot find where to set ipaWinSyncUserFlatten to true (so I'm
    assuming it's on true by default)


Yes, it is true by default.
dn: cn=ipa-winsync,cn=plugins,cn=config


    I really need to be able to sync more than just the cn=users subtree



There really isn't explicit support for this.  If it doesn't work to 
set your AD subtree to your root suffix (e.g. dc=domain,dc=com), then 
it's simply not going to work until 389 adds support for that.



    And I can find no documentation or help on line.


Because there probably isn't any.


    Has anyone had any success or practice with this?


See above.

    Thanks

    -Todd

    Todd Maugh

    Sr System Engineer

    *Boingo Wireless*

    *[email protected] <mailto:[email protected]>*




    _______________________________________________

    Freeipa-users mailing list

    [email protected]  <mailto:[email protected]>

    https://www.redhat.com/mailman/listinfo/freeipa-users




_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users





















					Reply via email to