[389-devel] One Way AD Sync

Rich Megginson rmeggins at redhat.com
Fri Nov 5 15:24:22 UTC 2010 

Nathan Kinder wrote:
> Please review these design notes for implementing one way AD sync.  In 
> particular, I'm concerned about the possible inconsistencies that can 
> arise from directly modifying a synced entry on the DS side.  Does using 
> access control seem sufficient for avoiding these inconsistencies?
>   
How would you use access control?
> If these notes look OK, I'll get everything posted up on the 389 wiki.
>
> Thanks,
> -NGK
>
> One Way Sync
>
> Some deployments would prefer that AD sync is only performed in one 
> direction.  More specifically, updates will be pulled from AD, but 
> changes to DS will not be pushed back to AD.  Ideally, one would 
> restrict direct updates to synchronized entries in DS by configuring 
> access control.
>
> To implement one-way sync, we need to add a new configuration attribute 
> to the sync agreement entry.  This attribute will be named "oneWaySync" 
> and will default to "false" if it is not specified to maintain backwards 
> compatibility.  When this attribute is set to "true", updates will only 
> go in the AD->DS direction.
>
> If one way sync is enabled and changes are made to a synced entry on the 
> DS side, a replication session with AD will be started.  In this 
> session, we will not send any updates, but we will send the Dirsync 
> control to AD to pull any updates.  This will result in an inconsistency 
> in the modified entry between AD and DS.  This inconsistency will be 
> resolved the next time any update is made to the entry on the AD side 
> since we compare the entire entry between AD and DS when we receive a 
> change via Dirsync.  To avoid these inconsistencies, it is recommended 
> to not allow direct updates to synced attributes in entries on the DS side.
>
> Another inconsistency that can occur is if a synced entry is directly 
> deleted from DS.  This deletion is not sent to AD.  In this case, an 
> update to the entry on the AD side will result in the entry being added 
> back to DS.  The direct deletion of synced entries on the DS side should 
> be avoided to prevent these inconsistencies.
>
> Inside of the replication plug-in, we simply skip sending updates in 
> both the total and incremental replication protocol sessions when using 
> a one way sync agreement.  We don't want to change the RUV 
> implementation for a one way sync agreement, so we will just 
> fast-forward the RUV that we maintain for the AD system as if we had 
> successfully sent the changes.
> --
> 389-devel mailing list
> 389-devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-devel
>

More information about the 389-devel mailing list