Goal: Have 389DirectoryServer (AKA Redhat/Centos/Fedora DS) pull account info from AD, allowing both AD accounts and 389-native accounts be authenticated through 389DS, but have the sync be one way, AD->389. We don't want accidental/malicious changes made on the 389 server to replicate back to AD. Ideally, we also wouldn't have to have use a DomainAdmin equivalent user.
All the existing documentation (most referencing http://www.centos.org/docs/5/html/CDS/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html) makes it appear to be a two-way sync. Am I barking up the wrong tree?
**Edit:**I was going to not explain the higher-level goal in order to keep it focused, the actual endgame is for our students (to be provisioned in 389) and our employees (in AD) to be able to authenticate against CAS for our various systems, mostly web-based.(http://www.jasig.org/cas). Don't ask why we're doing it that way, that's just what was presented to me to support. I have a feeling there's a simpler/more obvious/more commonly documented way, but I"m certainly not a cross-platform authentication/authorization expert. (Words like kerberos, RADIUS and/or PAM come to mind, but I don't rightly know exactly what all those actually are, the pros/cons, etc…but since we're already using RADIUS against our AD for Wireless 802.1x…)
Best Answer
Yes It is possible. Upgrade your 389 ds to Version 1.2.7 or higher
It is shipped with One way AD sync plugin which allow Windows Sync to go only from AD to DS, or only from DS to AD, instead of just the default bi-directional sync
Refer: http://directory.fedoraproject.org/docs/389ds/howto/howto-one-way-active-directory-sync.html