[389-users] Multiple sync aggrements between Ad and DS?
Theodotos Andreou
theodotos.andreou at cut.ac.cy
Fri Feb 12 06:26:27 UTC 2010
Hi Rich,
Thanks for the reply!
On Thu, 2010-02-11 at 08:19 -0700, Rich Megginson wrote:
> Theodotos Andreou wrote:
> > Guys I' ve seen this warning on the 8.1 Administration Guide:
> >
> > WARNING
> > There can only be a single sync agreement between the Directory Server
> > environment and the Active Directory environment. Multiple sync
> > agreements to the same Active Directory domain can create entry
> > conflicts.
> >dc=example,dc=com
> > Ref:
> > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html
> >
> > In my scenario I have many OUs under the AD synchronized subtree eg
> > ou=dep1,dc=example,dc=com , ou=dep2,dc=example,dc=com , etc. I tried to
> > synchronize the whole subtree dc=example,dc=com to the respective tree
> > on DS but this fails due to schema incompatibilities.
> Can you be more specific? What schema? Do you have any error messages
> to post?
When I created a sync agreement between cn=Users,dc=example,dc=com on AD
and cn=People,dc=example,dc=com on DS everything worked fine. When I
tried to do the same with dc=example,dc=com on both servers none of the
child OUs got replicated and I got errors similar to this:
[12/Jan/2010:08:01:57 +0200] - add value "pre_user2" to attribute type
"sn" in entry "uid=pre_user2,ou=People, dc=lim, dc=example, dc=com"
failed: duplicate new value.
I assumed that the reason is that you can not have full replication
between AD and DS in the same way we can have between two DS Servers.
That's why we compromise with a user/group/sync solution between AD and
DS. Isn't schema incompatibilities between AD and DS that cause this. Is
it possible to have true replication between them?
> > So I created one
> > sync agreement per OU and it seems to be working as expected in my test
> > environment. What that warning above is all about?
> It means you can't have multi master between more than one directory
> server and more than one AD.
>
> See https://bugzilla.redhat.com/show_bug.cgi?id=182515 and
> https://bugzilla.redhat.com/show_bug.cgi?id=184155
> > What could possibly
> > go wrong if you use multiple sync agreements. How can there be entry
> > conflicts if each synchronized subtree is different from the other?
> >
> In your case it should be fine because you have one directory server and
> one AD.
I am using 1 AD that is configured to have one way sync to 1 DS Server.
I guess this should not be a problem with multiple agreements right?
Will there be a problem if I add another DS Server in MultiMaster
configuration with the existing DS Server?
> > Another issue I have is that when users are disabled on the AD they are
> > still active on the DS. An obvious workaround is to change the password
> > of the disabled user so he can not use his account on AD but it would be
> > nice if their is a solution to avoid this. Any ideas?
> >
> Regular 389 cannot do this, but freeipa has a winsync plugin that does
> sync account disabled status.
I 've seen this freeipa solution in the past and triggered my interest.
As soon as I find some time I will give it a try. Is it stable to use in
a production environment?
> >
> >
> > --
> > 389 users mailing list
> > 389-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
Thanks again for the support
More information about the 389-users
mailing list