Goal: Have 389DirectoryServer (AKA Redhat/Centos/Fedora DS) pull account info from AD, allowing both AD accounts and 389-native accounts be authenticated through 389DS, but have the sync be one way, AD->389. We don't want accidental/malicious changes made on the 389 server to replicate back to AD. Ideally, we also wouldn't have to have use a DomainAdmin equivalent user.
All the existing documentation (most referencing http://www.centos.org/docs/5/html/CDS/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html) makes it appear to be a two-way sync. Am I barking up the wrong tree?
**Edit:**I was going to not explain the higher-level goal in order to keep it focused, the actual endgame is for our students (to be provisioned in 389) and our employees (in AD) to be able to authenticate against CAS for our various systems, mostly web-based.(http://www.jasig.org/cas). Don't ask why we're doing it that way, that's just what was presented to me to support. I have a feeling there's a simpler/more obvious/more commonly documented way, but I"m certainly not a cross-platform authentication/authorization expert. (Words like kerberos, RADIUS and/or PAM come to mind, but I don't rightly know exactly what all those actually are, the pros/cons, etc...but since we're already using RADIUS against our AD for Wireless 802.1x...)
We bit the bullet and put all of our (20K plus) student accounts into AD. It made some things one heck of a lot simpler. One-directory-to-rule-them-all is a lot easier to support for client services as well. We had to build one way syncs from our identity master (Banner) and build a completely separate password-change page for everyone's use.
It gave us a single LDAP source for all authentication. We also use CAS for SSO, and this certainly made things easier. Also, our WLAN authentication page only has a single directory to query, as well as all the myriad non-CAS web-apps we have knocking about on departmental web-servers.
Yes It is possible. Upgrade your 389 ds to Version 1.2.7 or higher
It is shipped with One way AD sync plugin which allow Windows Sync to go only from AD to DS, or only from DS to AD, instead of just the default bi-directional sync
Refer: http://directory.fedoraproject.org/docs/389ds/howto/howto-one-way-active-directory-sync.html
What happens if you set up the sync agreement using an account that has read-only access to AD?
If that doesn't work (at best, it would probably be something of a hack), then can you use 389DS's database links or referrals functionality instead?