Hi all,
Is it possible to do a syncronisation of a windows peer without the windows user who i use to bind being a domain admin? I have a read only user with which i can run ldapsearch and find all users data in the AD directory but using the same user to sync with fails. The replication status says "total update completed" but i see no updates to the my FDS directory.
If i modify this user in AD to be a domain admin it works correctly, but what i want to know is why can't i use a read-only user to sync? Is there any way around this?
Thanks Nick
This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited.
If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.
Messages sent to and from Quadriga may be monitored.
Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.
You should carry out your own virus checks before opening any attachment.
Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga.
Nicholas Byrne wrote:
Hi all,
Is it possible to do a syncronisation of a windows peer without the windows user who i use to bind being a domain admin? I have a read only user with which i can run ldapsearch and find all users data in the AD directory but using the same user to sync with fails. The replication status says "total update completed" but i see no updates to the my FDS directory.
If i modify this user in AD to be a domain admin it works correctly, but what i want to know is why can't i use a read-only user to sync? Is there any way around this?
Because in order for sync to work, Fedora DS must be able to modify the AD data, to send updates to AD. Windows Sync is bi-directional, and cannot be changed to uni-directional (at least, not without a lot of hacking).
You do not have to use the Domain Admin user. You can create another user which has the ability to read-write the AD data.
Thanks Nick
This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited.
If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.
Messages sent to and from Quadriga may be monitored.
Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.
You should carry out your own virus checks before opening any attachment.
Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Nicholas Byrne wrote:
Is it possible to do a syncronisation of a windows peer without the windows user who i use to bind being a domain admin?
No. I'm not 100% sure but I believe you need to be a domain admin to use the dirsync control, which FDS uses to pull entries from AD.
If that isn't the problem then I'm not sure what's going on. You certainly need to bind as a domain admin to modify passwords in AD, but from your desciption of the problem you're not expecting that to work anyway, just the AD->FDS entry sync functionality. Note that because passwords are modified with a separate operation, outbound sync (sans passwords) should still work if the bind identity is not a domain admin (but has rights to modify the target entries).
I haven't tested this, but it might be possible. See Microsoft KB article 303972. -Glenn.
http://support.microsoft.com/kb/303972/
---------- Original Message ----------- From: Nicholas Byrne nicholas.byrne@quadriga.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Fri, 01 Dec 2006 17:05:09 +0000 Subject: [Fedora-directory-users] Windows Sync without Domain Admin?
Hi all,
Is it possible to do a syncronisation of a windows peer without the windows user who i use to bind being a domain admin? I have a read only user with which i can run ldapsearch and find all users data in the AD directory but using the same user to sync with fails. The replication status says "total update completed" but i see no updates to the my FDS directory.
If i modify this user in AD to be a domain admin it works correctly, but what i want to know is why can't i use a read-only user to sync? Is there any way around this?
Thanks Nick
It works well. Just as described in the article, adding "Replication Directory Changes" permission to a read only user allows me to syncronise. Creation, deletion of entries don't get pushed to AD as expected. Whereas changes on AD get pulled to FDS.
Thanks very much Nick
Glenn wrote:
I haven't tested this, but it might be possible. See Microsoft KB article 303972. -Glenn.
http://support.microsoft.com/kb/303972/
---------- Original Message ----------- From: Nicholas Byrne nicholas.byrne@quadriga.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Fri, 01 Dec 2006 17:05:09 +0000 Subject: [Fedora-directory-users] Windows Sync without Domain Admin?
Hi all,
Is it possible to do a syncronisation of a windows peer without the windows user who i use to bind being a domain admin? I have a read only user with which i can run ldapsearch and find all users data in the AD directory but using the same user to sync with fails. The replication status says "total update completed" but i see no updates to the my FDS directory.
If i modify this user in AD to be a domain admin it works correctly, but what i want to know is why can't i use a read-only user to sync? Is there any way around this?
Thanks Nick
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited.
If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.
Messages sent to and from Quadriga may be monitored.
Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.
You should carry out your own virus checks before opening any attachment.
Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga.
389-users@lists.fedoraproject.org
-
David Boreham -
Glenn -
Nicholas Byrne -
Rich Megginson