I'm running into multiple issues trying to get password sync working from AD to IPA.
The way we have it set up is our system accounts in one OU (sysOU) and our standard user accounts in another OU (usersOU). We put our IPA PasswordSync (passsync) user that we created in the sysOU so he is not with our standard OU. We added him to the required groups.
So I run the following command to set up the agreement for password sync.
ipa-replica-manage connect --winsync --passsync="passsync_user_password" --cacert=/path/to/cert --binddn "cn=passsync,cn=sysOU,dc=ad,dc=ca ----bindpw="Active_Directory_Admin_Password" -v adserver.example.ca
Now this command won't work. It says invalid credentials. The password is right and the username is right. If I switch the passsync user in the --binddn option to administrator then the command works and it will update the user accounts information under the sysOU BUT it will NOT sync the passwords when the passwords have been changed. Do I have it wrong? The user in the binddn option should be the passsync user I created right?
So then I tried the above command and added the --win-subtree option and pointed it to the usersOU and the command completes succesfully but it does not sync users at all. It won't even add the user accounts that IPA is missing.
Do I have something wrong in the commands listed above?