Product SiteDocumentation Site

Chapter 8. Identity: Integrating with Microsoft Active Directory

8.1. About Active Directory and FreeIPA
8.2. About Synchronized Attributes
8.2.1. User Attribute Synchronization
8.2.2. Group Attribute Synchronization
8.3. Setting up Active Directory for Synchronization
8.4. Managing Synchronization Agreements
8.4.1. Trusting the Active Directory and FreeIPA CA Certificates
8.4.2. Creating Synchronization Agreements
8.4.3. Changing the Behavior for Syncing User Account Attributes
8.4.4. Changing the Synchronized Windows Subtree
8.4.5. Configuring Uni-Directional Sync
8.4.6. Deleting Synchronization Agreements
8.4.7. Winsync Agreement Failures
8.5. Managing Password Synchronization
8.5.1. Setting up the Windows Server for Password Synchronization
8.5.2. Setting up Password Synchronization
8.5.3. Exempting Active Directory Users from Password Synchronization
FreeIPA uses active synchronization to integrate user data stored in an Active Directory domain and the user data stored in the FreeIPA domain. Critical user attributes, including passwords, are synchronized between the services.
The capability to sync Active Directory and FreeIPA domains is inherent when a FreeIPA server is first installed. The synchronization process is configured by creating agreements between the FreeIPA server and the Active Directory domain controller.
This chapter describes how to configure synchronization, how to configure Active Directory for integration with FreeIPA, and how to configure Windows systems within the Active Directory domain to be aware of the FreeIPA domain.

8.1. About Active Directory and FreeIPA

Within the FreeIPA domain, information is shared among servers and replicas by copying that information, reliably and predictably, between the data masters (servers) and other data masters. This process is replication.
A similar process can be used to share data between the FreeIPA domain and a Microsoft Active Directory domain. This is synchronization.
Synchronization is the process of copying data back and forth between Active Directory and FreeIPA.
Synchronization is defined in an agreement between a FreeIPA server and an Active Directory domain controller. The sync agreement defines all of the information required to identify sync-able user entries (like the subtree to synchronize and requisite object classes in the user entries) as well as defining how account attributes are handled. The sync agreements are created with default values which can be tweaked to meet the needs of a specific domain. When two servers are involved in synchronization, they are called peers.
Synchronization is most commonly bi-directional. Information is sent back and forth between the FreeIPA domain and the Windows domain in a process that is very similar to how FreeIPA servers and replicas share information among themselves. It is possible to configure synchronization — or certain data areas — to only sync one way. That is uni-directional synchronization.
To prevent the risk of data conflicts, synchronization is configured between one FreeIPA server and one Active Directory domain controller. The FreeIPA server propagates changes back to the FreeIPA domain, while the domain controller propagates changes back to the Windows domain.
There are some key features to FreeIPA synchronization:
  • A synchronization operation runs every five minutes.
  • Synchronization can only be configured with one Active Directory domain. Multiple domains are not supported.
  • Synchronization can only be configured with one Active Directory domain controller. However, it is possible to have a list of failover Active Directory domain controllers. Likewise, there can be a list of failover FreeIPA servers to keep synchronization uninterrupted.
  • Only user information is synchronized.
  • Both user attributes and passwords can be synchronized.
  • While modifications are bi-directional (going both from Active Directory to FreeIPA and from FreeIPA to Active Directory), creating or adding accounts are only uni-directional, from Active Directory to FreeIPA. New accounts created in Active Directory are synchronized over to FreeIPA automatically. However, user accounts created in FreeIPA must also be created in Active Directory before they will be synchronized.
  • Account lock information is synchronized by default, so a user account which is disabled in one domain is disabled in the other.
  • Password synchronization changes take effect immediately.
When Active Directory users are synchronized over to FreeIPA, certain attributes (including Kerberos and POSIX attributes) will have IPA attributes are automatically added to the user entries. These attributes are used by FreeIPA within its domain. They are not synchronized back over the corresponding Active Directory user entry.
Some of the data in synchronization can be modified as part of the synchronization process. For examples, certain attributes can be automatically added to Active Directory user accounts when they are synced over to the FreeIPA domain. These attribute changes are defined as part of the synchronization agreement and are described in Section 8.4.3, “Changing the Behavior for Syncing User Account Attributes”.