Erling Ringen Elvsrud wrote:
According to the RHDS Administration Guide in the chapter on
Windows Sync(page 531):
"The membership of groups is synchronized with the constraint that
only those members that are also within the scope of the agreement are
(note that I did not read this before the test)
I have tried the following:
In AD I have:
I have configured two separate synchronization agreements in RHDS, one
that populate ou=People from ou=LinuxUsers in AD and one that
populate ou=Groups from ou=LinuxGroups in AD.
The synchronization works, and after it is complete I use ldapsearch
on ou=Groups in RHDS and ou=LinuxGroups in AD and the
member-attributes is indeed missing on the RHDS side.
So, in order to keep group-membership I need to synchronize the parent ou of
both users and groups. So something like
ou=LinuxUsers,ou=Linux, dc=... and
ou=LinuxGroups, ou=Linux, dc=... must be created in AD, and in the
synchronization agreement I will sync ou=Linux and get both users and groups.
The alternative is to synchronize with the current parrent of
LinuxUsers and LinuxGruops.
Is this correct?
Do you know why this "limitation" exists?
I think it is a side effect of the way the AD DirSync control works - it
applies to the domain suffix (dc=company,dc=com) and all sub containers
(OUs, CNs) under that suffix. It does not apply only to specific
subtrees under the domain suffix.
Fedora-directory-users mailing list