Hello list,
According to the RHDS Administration Guide in the chapter on Windows Sync(page 531):
"The membership of groups is synchronized with the constraint that only those members that are also within the scope of the agreement are propagated" (note that I did not read this before the test)
I have tried the following:
In AD I have:
ou=LinuxUsers ou=LinuxGroups
I have configured two separate synchronization agreements in RHDS, one that populate ou=People from ou=LinuxUsers in AD and one that populate ou=Groups from ou=LinuxGroups in AD.
The synchronization works, and after it is complete I use ldapsearch on ou=Groups in RHDS and ou=LinuxGroups in AD and the member-attributes is indeed missing on the RHDS side.
So, in order to keep group-membership I need to synchronize the parent ou of both users and groups. So something like ou=LinuxUsers,ou=Linux, dc=... and ou=LinuxGroups, ou=Linux, dc=... must be created in AD, and in the synchronization agreement I will sync ou=Linux and get both users and groups. The alternative is to synchronize with the current parrent of LinuxUsers and LinuxGruops.
Is this correct?
Do you know why this "limitation" exists?
Thanks
Erling
Erling Ringen Elvsrud wrote:
Hello list,
According to the RHDS Administration Guide in the chapter on Windows Sync(page 531):
"The membership of groups is synchronized with the constraint that only those members that are also within the scope of the agreement are propagated" (note that I did not read this before the test)
I have tried the following:
In AD I have:
ou=LinuxUsers ou=LinuxGroups
I have configured two separate synchronization agreements in RHDS, one that populate ou=People from ou=LinuxUsers in AD and one that populate ou=Groups from ou=LinuxGroups in AD.
The synchronization works, and after it is complete I use ldapsearch on ou=Groups in RHDS and ou=LinuxGroups in AD and the member-attributes is indeed missing on the RHDS side.
So, in order to keep group-membership I need to synchronize the parent ou of both users and groups. So something like ou=LinuxUsers,ou=Linux, dc=... and ou=LinuxGroups, ou=Linux, dc=... must be created in AD, and in the synchronization agreement I will sync ou=Linux and get both users and groups. The alternative is to synchronize with the current parrent of LinuxUsers and LinuxGruops.
Is this correct?
Do you know why this "limitation" exists?
I think it is a side effect of the way the AD DirSync control works - it applies to the domain suffix (dc=company,dc=com) and all sub containers (OUs, CNs) under that suffix. It does not apply only to specific subtrees under the domain suffix. http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx http://support.microsoft.com/kb/891995
Thanks
Erling
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org