Este contenido no está disponible en el idioma seleccionado.
15.5. Managing Synchronization Agreements
15.5.1. Trusting the Active Directory and IdM CA Certificates
- On the Active Directory server, download the IdM server's CA certificate from
http://ipa.example.com/ipa/config/ca.crt
. - Install the IdM CA certificate in the Active Directory certificate database. This can be done using the Microsoft Management Console or the certutil utility. For example:
certutil -installcert -v -config "ipaserver.example.com\Example Domain CA" c:\path\to\ca.crt
For more details, see the Active Directory documentation. - Export the Active Directory CA certificate.
- In My Network Places, open the CA distribution point.
- Double-click the security certificate file (
.crt
file) to display the Certificate dialog box. - On the Details tab, click to start the Certificate Export Wizard.
- Click Base-64 encoded X.509 (.CER)., and then select
- Specify a suitable directory and file name for the exported file. Clickto export the certificate, and then click .
- Copy the Active Directory certificate over to the IdM server machine.
- Download the IdM server's CA certificate from
http://ipa.example.com/ipa/config/ca.crt
. - Copy both the Active Directory CA certificate and the IdM CA certificate into the
/etc/openldap/cacerts/
directory. - Update the hash symlinks for the certificates.
cacertdir_rehash /etc/openldap/cacerts/
- Edit the
/etc/openldap/ldap.conf
file, and add the information to point to and use the certificates in the/etc/openldap/cacerts/
directory.TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow
15.5.2. Creating Synchronization Agreements
ipa-replica-manage connect
command because it creates a connection to the Active Directory domain. The options to create the synchronization agreement are listed in Table 15.2, “Synchronization Agreement Options”.
- Make sure that the Active Directory and IdM servers trust each other's CA certificates, as in Section 15.5.1, “Trusting the Active Directory and IdM CA Certificates”.
- Remove any existing Kerberos credentials on the IdM server.
$ kdestroy
- Use the
ipa-replica-manage
command to create a Windows synchronization agreement. This requires the--winsync
option. If passwords will be synchronized as well as user accounts, then also use the--passsync
option and set a password to use for Password Sync.The--binddn
and--bindpwd
options give the username and password of the system account on the Active Directory server that IdM will use to connect to the Active Directory server.$ ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw Windows-secret --passsync secretpwd --cacert /etc/openldap/cacerts/windows.cer adserver.example.com -v
- When prompted, enter the Directory Manager password.
- Optional. Configure Password Synchronization, as in Section 15.6.2, “Setting up Password Synchronization”.
Option | Description |
---|---|
--winsync | Identifies this as a synchronization agreement. |
--binddn | Gives the full user DN of the synchronization identity. This is the user DN that the IdM LDAP server uses to bind to Active Directory. This user must exist in the Active Directory domain and must have replicator, read, search, and write permissions on the Active Directory subtree. |
--bindpw | Gives the password for the sync user. |
--passsync | Gives the password for the Windows user account which is involved in synchronization. |
--cacert | Gives the full path and file name of the Active Directory CA certificate. This certificate is exported in Section 15.5.1, “Trusting the Active Directory and IdM CA Certificates”. |
--win-subtree | Gives the DN of the Windows subtree containing the users to synchronize. The default value is cn=Users,$SUFFIX . |
AD_server_name | Gives the hostname of the Active Directory domain controller. |
15.5.3. Changing the Behavior for Syncing User Account Attributes
ldapmodify
command to modify the LDAP server entry directly.
ipaWinSyncAcctDisable
attribute. (Changing this means that if an account is disabled in Active Directory, it is still active in IdM and vice versa.)
[jsmith@ipaserver ~]$ ldapmodify -x -D "cn=directory manager" -w password dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: ipaWinSyncAcctDisable ipaWinSyncAcctDisable: none modifying entry "cn=ipa-winsync,cn=plugins,cn=config"
Parameter | Description | Possible Values |
---|---|---|
General User Account Parameters | ||
ipaWinSyncNewEntryFilter | Sets the search filter to use to find the entry which contains the list of object classes to add to new user entries. | The default is (cn=ipaConfig) . |
ipaWinSyncNewUserOCAttr | Sets the attribute in the configuration entry which actually contains the list of object classes to add to new user entries. | The default is ipauserobjectclasses . |
ipaWinSyncHomeDirAttr | Identifies which attribute in the entry contains the default location of the POSIX home directory. | The default is ipaHomesRootDir . |
ipaWinSyncUserAttr | Sets an additional attribute with a specific value to add to Active Directory users when they are synced over from the Active Directory domain. If the attribute is multi-valued, then it can be set multiple times, and the sync process adds all of the values to the entry.
Note
This only sets the attribute value if the entry does not already have that attribute present. If the attribute is present, then the entry's value is used when the Active Directory entry is synced over.
| ipaWinSyncUserAttr: attributeName attributeValue |
ipaWinSyncForceSync | Sets whether to check existing IdM users which match an existing Active Directory user should be automatically edited so they can be synchronized. If an IdM user account has a uid parameter which is identical to the samAccountName in an existing Active Directory user, then that account is not synced by default. This attribute tells the sync service to add the ntUser and ntUserDomainId to the IdM user entries automatically, which allows them to be synchronized. | true | false |
User Account Lock Parameters | ||
ipaWinSyncAcctDisable | Sets which way to synchronize account lockout attributes. It is possible to control which account lockout settings are in effect. For example, to_ad means that when account lockout attribute is set in IdM, its value is synced over to Active Directory and overrides the local Active Directory value. By default, account lockout attributes are synced from both domains. |
|
ipaWinSyncInactivatedFilter | Sets the search filter to use to find the DN of the group used to hold inactivated (disabled) users. This does not need to be changed in most deployments. | The default is (&(cn=inactivated)(objectclass=groupOfNames)) . |
ipaWinSyncActivatedFilter | Sets the search filter to use to find the DN of the group used to hold active users. This does not need to be changed in most deployments. | The default is (&(cn=activated)(objectclass=groupOfNames)) . |
Group Parameters | ||
ipaWinSyncDefaultGroupAttr | Sets the attribute in the new user account to reference to see what the default group for the user is. The group name in the entry is then used to find the gidNumber for the user account. | The default is ipaDefaultPrimaryGroup . |
ipaWinSyncDefaultGroupFilter | Sets the search filter to map the group name to the POSIX gidNumber . | The default is (&(gidNumber=*)(objectclass=posixGroup)(cn= groupAttr_value)) . |
Realm Parameters | ||
ipaWinSyncRealmAttr | Sets the attribute which contains the realm name in the realm entry. | The default is cn . |
ipaWinSyncRealmFilter | Sets the search filter to use to find the entry which contains the IdM realm name. | The default is (objectclass=krbRealmContainer) . |
15.5.4. Changing the Synchronized Windows Subtree
cn=users,cn=accounts,$SUFFIX
, and for Active Directory, the default is CN=Users,$SUFFIX
.
--win-subtree
option. After the agreement is created, the Active Directory subtree can be changed by using the ldapmodify
command to edit the nsds7WindowsReplicaSubtree
value in the sync agreement entry.
- Get the name of the sync agreement, using
ldapsearch
. This search returns only the values for thedn
andnsds7WindowsReplicaSubtree
attributes instead of the entire entry.[jsmith@ipaserver ~]$ ldapsearch -xLLL -D "cn=directory manager" -w password -p 389 -h ipaserver.example.com -b cn=config objectclass=nsdswindowsreplicationagreement dn nsds7WindowsReplicaSubtree dn: cn=meToWindowsBox.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: cn=users,dc=example,dc=com ... 8< ...
- Modify the sync agreement
[jsmith@ipaserver ~]$ ldapmodify -x -D "cn=directory manager" -W -p 389 -h ipaserver.example.com <<EOF dn: cn=meToWindowsBox.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds7WindowsReplicaSubtree nsds7WindowsReplicaSubtree: cn=alternateusers,dc=example,dc=com EOF modifying entry "cn=meToWindowsBox.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"
15.5.5. Configuring Uni-Directional Sync
oneWaySync
parameter on the sync agreement. The possible values are fromWindows
(for Active Directory to Identity Management sync) and toWindows
(for Identity Management to Active Directory sync).
[jsmith@ipaserver ~]$ ldapmodify -x -D "cn=directory manager" -w password -p 389 -h ipaserver.example.com dn: cn=windows.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify add: oneWaySync oneWaySync: fromWindows
Important
15.5.6. Deleting Synchronization Agreements
ipa-replica-manage disconnect
command and then the hostname of the Active Directory server.
- Delete the sync agreement.
# ipa-replica-manage disconnect adserver.example.com
- Remove the Active Directory CA certificate from the IdM server database:
# certutil -D -d /etc/dirsrv/slapd-EXAMPLE.COM/ -n "Imported CA"
15.5.7. Winsync Agreement Failures
One of the most common sync agreement failures is that the IdM server cannot connect to the Active Directory server:
"Update failed! Status: [81 - LDAP error: Can't contact LDAP server]
/etc/dirsrv/slapd-DOMAIN/
directory) with the name Imported CA. This can be checked using certutil
:
$ certutil -L -d /etc/dirsrv/slapd-DOMAIN/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,Cu Imported CA CT,,C Server-Cert u,u,u Imported CA CT,,C
# certutil -d /etc/dirsrv/slapd-DOMAIN-NAME -D -n "Imported CA"
For some entries in the user database, there may be an informational error message that the password is not being reset because the entry already exists:
"Windows PassSync entry exists, not resetting password"