Fedora directory users - Dec 2006 - Windows Sync without Domain Admin?

Nicholas Byrne wrote:
> Hi all,
>
> Is it possible to do a syncronisation of a windows peer without the 
> windows user who i use to bind being  a domain admin? I have a  read 
> only user with which i can run ldapsearch and find all users data in 
> the AD directory but using the same user to sync with fails. The  
> replication status says "total update completed" but i see no
updates
> to the my FDS directory.
>
> If i modify this user in AD to be a domain admin it works correctly, 
> but what i want to know is why can''t i use a read-only user to
sync?
> Is there any way around this?
Because in order for sync to work, Fedora DS must be able to modify the 
AD data, to send updates to AD.  Windows Sync is bi-directional, and 
cannot be changed to uni-directional (at least, not without a lot of 
hacking).

You do not have to use the Domain Admin user.  You can create another 
user which has the ability to read-write the AD data.
>
> Thanks
> Nick
>
>
>
> This e-mail is the property of Quadriga Worldwide Ltd, intended for 
> the addressee only and confidential.  Any dissemination, copying or 
> distribution of this message or any attachments is strictly prohibited.
>
> If you have received this message in error, please notify us 
> immediately by replying to the message and deleting it from your 
> computer.
>
> Messages sent to and from Quadriga may be monitored.
>
> Quadriga cannot guarantee any message delivery method is secure or 
> error-free.  Information could be intercepted, corrupted, lost, 
> destroyed, arrive late or incomplete, or contain viruses.
>
> We do not accept responsibility for any errors or omissions in this 
> message and/or attachment that arise as a result of transmission.
>
> You should carry out your own virus checks before opening any attachment.
>
> Any views or opinions presented are solely those of the author and do 
> not necessarily represent those of Quadriga.
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Hi all,

Is it possible to do a syncronisation of a windows peer without the 
windows user who i use to bind being  a domain admin? I have a  read 
only user with which i can run ldapsearch and find all users data in the 
AD directory but using the same user to sync with fails. The  
replication status says "total update completed" but i see no updates
to
the my FDS directory.

If i modify this user in AD to be a domain admin it works correctly, but 
what i want to know is why can''t i use a read-only user to sync? Is 
there any way around this?

Thanks
Nick



This e-mail is the property of Quadriga Worldwide Ltd, intended for the
addressee only and confidential.  Any dissemination, copying or distribution of
this message or any attachments is strictly prohibited.

If you have received this message in error, please notify us immediately by
replying to the message and deleting it from your computer.

Messages sent to and from Quadriga may be monitored.

Quadriga cannot guarantee any message delivery method is secure or error-free. 
Information could be intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.

We do not accept responsibility for any errors or omissions in this message
and/or attachment that arise as a result of transmission.

You should carry out your own virus checks before opening any attachment.

Any views or opinions presented are solely those of the author and do not
necessarily represent those of Quadriga.

Nicholas Byrne wrote:
> Is it possible to do a syncronisation of a windows peer without the 
> windows user who i use to bind being  a domain admin?
No. I''m not 100% sure but I believe you need to be a domain admin to
use the dirsync control, which FDS uses to pull entries from AD.

If that isn''t the problem then I''m not sure what''s
going on.
You certainly need to bind as a domain admin to modify passwords
in AD, but from your desciption of the problem you''re not expecting
that to work anyway, just the AD->FDS entry sync functionality.
Note that because passwords are modified with a separate
operation, outbound sync (sans passwords) should still work
if the bind identity is not a domain admin (but has rights to
modify the target entries).

I haven''t tested this, but it might be possible.  See Microsoft KB
article
303972.   -Glenn.

http://support.microsoft.com/kb/303972/


---------- Original Message -----------
From: Nicholas Byrne <nicholas.byrne@quadriga.com>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users@redhat.com>
Sent: Fri, 01 Dec 2006 17:05:09 +0000
Subject: [Fedora-directory-users] Windows Sync without Domain Admin?
> Hi all,
> 
> Is it possible to do a syncronisation of a windows peer without the 
> windows user who i use to bind being  a domain admin? I have a  read 
> only user with which i can run ldapsearch and find all users data in 
> the AD directory but using the same user to sync with fails. The 
>  replication status says "total update completed" but i see no 
> updates to the my FDS directory.
> 
> If i modify this user in AD to be a domain admin it works correctly, 
> but what i want to know is why can''t i use a read-only user to
sync?
> Is there any way around this?
> 
> Thanks
> Nick
>

It works well. Just as described in the article, adding "Replication 
Directory Changes" permission to a read only user allows me to 
syncronise. Creation, deletion of entries don''t get pushed to AD as 
expected. Whereas changes on AD get pulled to FDS.

Thanks very much
Nick

Glenn wrote:
> I haven''t tested this, but it might be possible.  See Microsoft KB
article
> 303972.   -Glenn.
>
> http://support.microsoft.com/kb/303972/
>
>
> ---------- Original Message -----------
> From: Nicholas Byrne <nicholas.byrne@quadriga.com>
> To: "General discussion list for the Fedora Directory server
project."
> <fedora-directory-users@redhat.com>
> Sent: Fri, 01 Dec 2006 17:05:09 +0000
> Subject: [Fedora-directory-users] Windows Sync without Domain Admin?
>
>   
>> Hi all,
>>
>> Is it possible to do a syncronisation of a windows peer without the 
>> windows user who i use to bind being  a domain admin? I have a  read 
>> only user with which i can run ldapsearch and find all users data in 
>> the AD directory but using the same user to sync with fails. The 
>>  replication status says "total update completed" but i see
no
>> updates to the my FDS directory.
>>
>> If i modify this user in AD to be a domain admin it works correctly, 
>> but what i want to know is why can''t i use a read-only user to
sync?
>> Is there any way around this?
>>
>> Thanks
>> Nick
>>
>>     
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>   


This e-mail is the property of Quadriga Worldwide Ltd, intended for the
addressee only and confidential.  Any dissemination, copying or distribution of
this message or any attachments is strictly prohibited.

If you have received this message in error, please notify us immediately by
replying to the message and deleting it from your computer.

Messages sent to and from Quadriga may be monitored.

Quadriga cannot guarantee any message delivery method is secure or error-free. 
Information could be intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.

We do not accept responsibility for any errors or omissions in this message
and/or attachment that arise as a result of transmission.

You should carry out your own virus checks before opening any attachment.

Any views or opinions presented are solely those of the author and do not
necessarily represent those of Quadriga.