Rich,<div><br></div><div>I found a problem, seems to be a bug:</div><div><br></div><div>When I delete the user from my AD the plugin did not update the group (did not test deleting first in 389 DS). So the user does not exist, but in 389 DS group shows me the entry.</div>

<div><br></div><div>When I create the user again, the 389 (replication plugin or whatever) delete everyone from my group in 389 DS.</div><div><br></div><div>I´m not sure if is a 389 DS console problem or plugin replication problem.</div>

<div><br></div><div>Could not found anything related to it on bugs.</div><div><br></div><div>Thanks</div><div><br></div><div><br></div><div><br><div class="gmail_quote">On Thu, Jul 5, 2012 at 4:42 PM, Rich Megginson <span dir="ltr">&lt;<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">

    On 07/05/2012 01:32 PM, Alberto Viana wrote:

    <blockquote type="cite">I have a replication with a 389 DS server and my AD

      domain. According to the documentation the field used to control

      the replication is &quot;NT user ID&quot; on 389 DS and it is populated from

      Active directory´s field &quot;<span style="line-height:17px;text-align:left;font-size:13px;font-family:Arial,Helvetica,FreeSans,sans-serif">sAMAccountName&quot;.</span>

      <div>

        <span style="line-height:17px;text-align:left;font-size:13px;font-family:Arial,Helvetica,FreeSans,sans-serif"><br>

        </span></div>

      <div><span style="line-height:17px;text-align:left;font-size:13px;font-family:Arial,Helvetica,FreeSans,sans-serif">The

          fact is that &quot;</span><span style="line-height:17px;text-align:left;font-size:13px;font-family:Arial,Helvetica,FreeSans,sans-serif">sAMAccountName&quot;

          is limited to 20 char</span><span style="line-height:16px;text-align:left;font-size:13px"><font face="arial, sans-serif">acters. </font></span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px"><font face="arial, sans-serif"><br>

          </font></span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px"><font face="arial, sans-serif"><br>

          </font></span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px"><font face="arial, sans-serif">My problem is that I always create

            my user´s in the active directory first, so when I create a

            user longer than 20 characters, 389 DS create it missing

            letters (off corse the problem is about windows limitation

            and I know that), I´m just trying to find out the esiest

            solution to my problem.</font></span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px"><font face="arial, sans-serif"><br>

          </font></span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px"><font face="arial, sans-serif">For example, I have an user called

            &quot;therezinha.figueiredo&quot; and when I create it on my AD the &quot;</font></span><span style="line-height:17px;text-align:left;font-size:13px;font-family:Arial,Helvetica,FreeSans,sans-serif">sAMAccountName&quot;

          is &quot;</span><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">therezinha.figueired&quot;,

          so the replication plugin create in the 389 Server an user

          Called &quot;</span><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">therezinha.figueired&quot;</span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif"><br>

        </span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">I

          Also tried to modifify the user uid and keep the &quot;NT user ID&quot;.

          For example:</span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif"><br>

        </span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">After

          the replication plugin created the user called </span><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">&quot;</span><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">therezinha.figueired&quot;

          I modified it manually to &quot;</span><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">&quot;</span><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">therezinha.figueiredo&quot;

          and kept the &quot;NT user ID&quot;, but something strange hapenned with

          this user groups (in the 389 DS and also in the Active

          Directory).</span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px"><font face="arial, sans-serif"><br>

          </font></span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px"><font face="arial, sans-serif"><br>

          </font></span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">Any

          clues? Can I use another field to populate users &quot;NT user ID&quot;

          and  </span><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">change

          it on the replication plugin? <br>

        </span></div>

    </blockquote>

    <br></div></div>

    It will be a manual process, but you might be able to create the

    user first in AD, then manually create the user in 389, with the

    ntUniqueID field set to the objectGUID of the AD entry.  389 winsync

    uses the uid -&gt; samAccountName for the initial mapping, but once

    that is established, it uses ntUniqueID -&gt; objectGUID.<br>

    <br>

    At any rate, please file a ticket at <br>

    <a href="https://fedorahosted.org/389" target="_blank">https://fedorahosted.org/389</a><br>

    <blockquote type="cite">

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif"><br>

        </span></div>

      <div style="text-align:left"><font face="arial, sans-serif"><span style="line-height:16px"><br>

          </span></font></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">Thanks </span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif"><br>

        </span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif">Alberto

          Viana</span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif"><br>

        </span></div>

      <div><span style="line-height:16px;text-align:left;font-size:13px;font-family:arial,sans-serif"><br>

        </span></div>

      <br><span class="HOEnZb"><font color="#888888">

      <fieldset></fieldset>

      <br>

      <pre>--

389 users mailing list

<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>

<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>

    </font></span></blockquote>

    <br>

  </div>

</blockquote></div><br></div>