Hi,
I'm trying to setup a FreeIPA and Active Directory synchronisation following Red Hat documentation(https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...).
The ipa-replica-manage command returns a success but no user are imported in FreeIPA: ipa-replica-manage connect --winsync --binddn='cn=ipasync,cn=Users,dc=ipa,dc=local' --bindpw='####' --passsync #### --cacert ipa-a-v Directory Manager password:
Added CA certificate ipa-ad.cloud.620nm.net.cer to certificate database for ipa.cloud.620nm.net ipa: INFO: AD Suffix is: DC=ipa,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipa,dc=cloud,dc=620nm,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: Error (0) Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 2 seconds elapsed Update succeeded
The ipasync user has been created with the rights as described in the documentation.
In the freeipa logs, I didn't find any error message that could explain that user are not imported.
Regards,
[cid:image001.gif@01CBF2E5.34FD28F0]
Laurent PERRIN Service Infra aux Projets Orange Applications for Business SCE/OAB/DPO/DT/SF/CLOUDS tel. +33 4 37 24 62 85 Mob : 07 84 12 78 79 laurent2.perrin@orange.commailto:laurent2.perrin@orange.com 139 rue Vendôme 69006 Lyon www.orange-business.comhttp://www.orange-business.com/
[cid:image002.gif@01CBF2E5.34FD28F0]
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
laurent2.perrin--- via FreeIPA-users wrote:
Hi,
I'm trying to setup a FreeIPA and Active Directory synchronisation following Red Hat documentation(https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...).
The ipa-replica-manage command returns a success but no user are imported in FreeIPA:
ipa-replica-manage connect --winsync --binddn='cn=ipasync,cn=Users,dc=ipa,dc=local' --bindpw='####' --passsync #### --cacert ipa-a-v
Directory Manager password:
Added CA certificate ipa-ad.cloud.620nm.net.cer to certificate database for ipa.cloud.620nm.net
ipa: INFO: AD Suffix is: DC=ipa,DC=local
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipa,dc=cloud,dc=620nm,dc=net
Windows PassSync system account exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: Error (0) Replica acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress, 2 seconds elapsed
Update succeeded
The ipasync user has been created with the rights as described in the documentation.
In the freeipa logs, I didn’t find any error message that could explain that user are not imported.
Are your AD users under DC=ipa,DC=local?
Have you considered using AD trust instead of sync?
rob
They are under cn=Users,dc=ipa,dc=local' but this path seems to be the one used by ipa synchronization:
ldapsearch -xLLL -D "cn=directory manager" -w #### -p 389 -h ipa.cloud.620nm.net -b cn=config objectclass=nsdswindowsreplicationagreement dn nsds7WindowsReplicaSubtree dn: cn=meToipa-ad.ipa.local,cn=replica,cn=dc\3Dipa\2Cdc\3Dcloud\2Cdc\3D620nm\2 Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: cn=Users,dc=ipa,dc=local
The target Active Directory is not managed by another team and trust relationship cannot be established, due to their policy.
-----Message d'origine----- De : Rob Crittenden [mailto:rcritten@redhat.com] Envoyé : mercredi 21 juin 2017 17:19 À : FreeIPA users list Cc : PERRIN Laurent OBS/OAB Objet : Re: [Freeipa-users] Users not imported with Active Directory Synchronization
laurent2.perrin--- via FreeIPA-users wrote:
Hi,
I'm trying to setup a FreeIPA and Active Directory synchronisation following Red Hat documentation(https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...).
The ipa-replica-manage command returns a success but no user are imported in FreeIPA:
ipa-replica-manage connect --winsync --binddn='cn=ipasync,cn=Users,dc=ipa,dc=local' --bindpw='####' --passsync #### --cacert ipa-a-v
Directory Manager password:
Added CA certificate ipa-ad.cloud.620nm.net.cer to certificate database for ipa.cloud.620nm.net
ipa: INFO: AD Suffix is: DC=ipa,DC=local
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipa,dc=cloud,dc=620nm,dc=net
Windows PassSync system account exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: Error (0) Replica acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress, 2 seconds elapsed
Update succeeded
The ipasync user has been created with the rights as described in the documentation.
In the freeipa logs, I didn’t find any error message that could explain that user are not imported.
Are your AD users under DC=ipa,DC=local?
Have you considered using AD trust instead of sync?
rob
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
freeipa-users@lists.fedorahosted.org