IPA winsync issues

Latest response


I'm running into multiple issues trying to get password sync working from AD to IPA.

The way we have it set up is our system accounts in one OU (sysOU) and our standard user accounts in another OU (usersOU). We put our IPA PasswordSync (passsync) user that we created in the sysOU so he is not with our standard OU. We added him to the required groups.

So I run the following command to set up the agreement for password sync.

ipa-replica-manage connect --winsync --passsync="passsync_user_password" --cacert=/path/to/cert --binddn "cn=passsync,cn=sysOU,dc=ad,dc=ca ----bindpw="Active_Directory_Admin_Password" -v adserver.example.ca

Now this command won't work. It says invalid credentials. The password is right and the username is right. If I switch the passsync user in the     --binddn option to administrator then the command works and it will update the user accounts information under the sysOU BUT it will NOT sync the passwords when the passwords have been changed. Do I have it wrong? The user in the binddn option should be the passsync user I created right?

So then I tried the above command and added the --win-subtree option and pointed it to the usersOU and the command completes succesfully but it does not sync users at all. It won't even add the user accounts that IPA is missing.


Do I have something wrong in the commands listed above?



Also I forgot to add the following.

According to the documention setting up the uni-drectional updates is wrong.

I want for the Windows AD to be the source of the updates so I did the following command.

ldapmodify -x -D "cn=directory manager" -w IPA_PASSWORD -f /tmp/unisync

The /tmp/unisync file has the following information in it.

dn: cn=ipa-winsync,cn=plugins,cn=config
changetype: modify
replace: oneWaySync
oneWaySync: FromWindows

After the command completes I can delete a user from IPA and it will replicate the entry to AD deleting the user from there also.


The --binddn and--bindpwd options give the username and password of the system account on the Active Directory server that IdM will use to connect to the Active Directory server.

The user must exists in Windows AD and must have replicator, read, search, and write permissions on the Active Directory subtree (i.e. it should be member of domain admins  build-in group on AD.)

You may try running "ldapsearch" against windows AD server with this user and see whether this user has proper rights and there is no issue with user's credentials.

# ldapsearch -x -b <AD base DN> -D <Bind DN> -w <password> -h <AD server IP/Hostaname>

# ldapsearch -x -b "dc=ad,dc=ca" -D "cn=passsync,cn=sysOU,dc=ad,dc=ca" -w <password for passsync user on AD> -h <AD server IP/Hostaname>

# ldapsearch -x -ZZ -b "dc=ad,dc=ca" -D "cn=passsync,cn=sysOU,dc=ad,dc=ca" -w <password for passsync user on AD> -h <AD server IP/Hostaname>

Use '-ZZ' option to force bind over TLS. Ensure that Windows CA certificate is store /etc/openldap/cacerts directory to use start_tls with ldapsearch.

If "--win-subtree" option is not used in "ipa-replica-manage" command The default value is cn=Users,$SUFFIX (where $SUFFIX is base DN of windows AD).

By default, all modifications and deletions are bi-directional. A change in Active Directory is synced over to Identity Management, and a change to an entry in Identity Management is synced over to Active Directory.

The 'oneWaySync' option is for scenarios or IT designs where "master-consumer" kinda setup is a requirement. The uni-directional sync is configured to go from Active Directory to Identity Management, so Active Directory is (in essence) the data master.

If any entry is modified or updated on IDM, it won't be synced to AD server, which may lead inconsistencies between the sync peers.

Hope this helps.

Best Regards,


Hello Nirupama,

Thank you for the information.
The LDAP Search command you provided completes succesfully and displays all of the information in the AD.

The "oneWaySync" option that I listed above. Is it correct? When I enter it the way I listed above it does not do what it should be doing.


Please refer the section "8.4.5. Configuring Uni-Directional Sync" in the following documentation link.


What is the version ipa-server you are using ? Are changes replicating from IDM server to windows AD even after  'oneWaySync' is configured ?

Thank you,



I am using 2.2.0-16 for the IPA-Server.

Yup after I make the required LDAP change for uni-directional sync I can still delete a user form IPA and it will replicate it to AD even though I put "FromWindows".


Also the --win-subtree is still not working.

When I add --win-subtree "cn=UsersOU,dc=ad,dc=ca it comes back with the following error;
[server_name] reports: Update Failed! Status: [-1 total updated abortedSystem error]
Failed to start replication

It will add my AD server to the ipa-replica-manage server list but it will not sync with the UsersOU.

Again when I do the ldapsearch comand you listed above it see's all of my users under the UsersOU.

Figured out my issue with the --win-subtree
I didn't realize that a user created OU doesn't fall under "cn=" it actually becomes "ou="

Still stuck on this uni-directional sync though. I think I had the -D "directory manager" part of the command wrong so I've changed it and am now getting a different error.
Maybe I have the syntax wrong. If someone can verify my command that would be great.

Server = rhserver
Domain = redhat.ca
Password = 12345678

Contents of /tmp/unisync;
dn: cn=ipa-winsync,cn=plugins,cn=config
changetype: modify
replace: oneWaySync
oneWaySync: From Windows

So I enter the following command;
ldapmodify -x -D "dc=redhat,dc=ca" -w 12345678 -f /tmp/unisync

So when this command completes I get the following error;
ldap_bind: Inappropriate authentication (48)

Is the password it's looking for suppose to be the IPA Admin password (same one you use when you do an kinit admin)?