IPA winsync issues
Hello,
I'm running into multiple issues trying to get password sync working from AD to IPA.
The way we have it set up is our system accounts in one OU (sysOU) and our standard user accounts in another OU (usersOU). We put our IPA PasswordSync (passsync) user that we created in the sysOU so he is not with our standard OU. We added him to the required groups.
So I run the following command to set up the agreement for password sync.
ipa-replica-manage connect --winsync --passsync="passsync_user_password" --cacert=/path/to/cert --binddn "cn=passsync,cn=sysOU,dc=ad,dc=ca ----bindpw="Active_Directory_Admin_Password" -v adserver.example.ca
Now this command won't work. It says invalid credentials. The password is right and the username is right. If I switch the passsync user in the --binddn option to administrator then the command works and it will update the user accounts information under the sysOU BUT it will NOT sync the passwords when the passwords have been changed. Do I have it wrong? The user in the binddn option should be the passsync user I created right?
So then I tried the above command and added the --win-subtree option and pointed it to the usersOU and the command completes succesfully but it does not sync users at all. It won't even add the user accounts that IPA is missing.
Do I have something wrong in the commands listed above?
Thanks.
Responses
Hello,
The --binddn and--bindpwd options give the username and password of the system account on the Active Directory server that IdM will use to connect to the Active Directory server.
The user must exists in Windows AD and must have replicator, read, search, and write permissions on the Active Directory subtree (i.e. it should be member of domain admins build-in group on AD.)
You may try running "ldapsearch" against windows AD server with this user and see whether this user has proper rights and there is no issue with user's credentials.
# ldapsearch -x -b <AD base DN> -D <Bind DN> -w <password> -h <AD server IP/Hostaname>
# ldapsearch -x -b "dc=ad,dc=ca" -D "cn=passsync,cn=sysOU,dc=ad,dc=ca" -w <password for passsync user on AD> -h <AD server IP/Hostaname>
# ldapsearch -x -ZZ -b "dc=ad,dc=ca" -D "cn=passsync,cn=sysOU,dc=ad,dc=ca" -w <password for passsync user on AD> -h <AD server IP/Hostaname>
Use '-ZZ' option to force bind over TLS. Ensure that Windows CA certificate is store /etc/openldap/cacerts directory to use start_tls with ldapsearch.
If "--win-subtree" option is not used in "ipa-replica-manage" command The default value is cn=Users,$SUFFIX (where $SUFFIX is base DN of windows AD).
By default, all modifications and deletions are bi-directional. A change in Active Directory is synced over to Identity Management, and a change to an entry in Identity Management is synced over to Active Directory.
The 'oneWaySync' option is for scenarios or IT designs where "master-consumer" kinda setup is a requirement. The uni-directional sync is configured to go from Active Directory to Identity Management, so Active Directory is (in essence) the data master.
If any entry is modified or updated on IDM, it won't be synced to AD server, which may lead inconsistencies between the sync peers.
Hope this helps.
Best Regards,
Nirupama
Hello,
Please refer the section "8.4.5. Configuring Uni-Directional Sync" in the following documentation link.
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/managing-sync-agmt.html
What is the version ipa-server you are using ? Are changes replicating from IDM server to windows AD even after 'oneWaySync' is configured ?
Thank you,
Nirupama