[389-users] Multiple sync aggrements between Ad and DS?

Rich Megginson rmeggins at redhat.com
Fri Feb 12 22:22:25 UTC 2010 

Theodotos Andreou wrote:
> Hi Rich,
>
> Thanks for the reply!
>
> On Thu, 2010-02-11 at 08:19 -0700, Rich Megginson wrote:
>   
>> Theodotos Andreou wrote:
>>     
>>> Guys I' ve seen this warning on the 8.1 Administration Guide:
>>>
>>> WARNING
>>> There can only be a single sync agreement between the Directory Server
>>> environment and the Active Directory environment. Multiple sync
>>> agreements to the same Active Directory domain can create entry
>>> conflicts. 
>>> dc=example,dc=com
>>> Ref:
>>> http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html
>>>
>>> In my scenario I have many OUs under the AD synchronized subtree eg
>>> ou=dep1,dc=example,dc=com , ou=dep2,dc=example,dc=com , etc. I tried to
>>> synchronize the whole subtree dc=example,dc=com to the respective tree
>>> on DS but this fails due to schema incompatibilities.
>>>       
>> Can you be more specific?  What schema?  Do you have any error messages 
>> to post?
>>     
>
> When I created a sync agreement between cn=Users,dc=example,dc=com on AD
> and cn=People,dc=example,dc=com on DS everything worked fine. When I
> tried to do the same with dc=example,dc=com on both servers none of the
> child OUs got replicated and I got errors similar to this:
>
> [12/Jan/2010:08:01:57 +0200] - add value "pre_user2" to attribute type
> "sn" in entry "uid=pre_user2,ou=People, dc=lim, dc=example, dc=com"
> failed: duplicate new value.
>
> I assumed that the reason is that you can not have full replication
> between AD and DS in the same way we can have between two DS Servers.
> That's why we compromise with a user/group/sync solution between AD and
> DS. Isn't schema incompatibilities between AD and DS that cause this.
No, this particular issue is probably due somehow to the DN mapping.
> Is
> it possible to have true replication between them?
>   
Maybe samba4 will be able to do this.
>
>   
>>> So I created one
>>> sync agreement per OU and it seems to be working as expected in my test
>>> environment. What that warning above is all about?
>>>       
>> It means you can't have multi master between more than one directory 
>> server and more than one AD.
>>
>> See https://bugzilla.redhat.com/show_bug.cgi?id=182515 and 
>> https://bugzilla.redhat.com/show_bug.cgi?id=184155
>>     
>>> What could possibly
>>> go wrong if you use multiple sync agreements. How can there be entry
>>> conflicts if each synchronized subtree is different from the other?
>>>   
>>>       
>> In your case it should be fine because you have one directory server and 
>> one AD.
>>     
>
> I am using 1 AD that is configured to have one way sync to 1 DS Server.
> I guess this should not be a problem with multiple agreements right? 
>   
Should not be a problem.
> Will there be a problem if I add another DS Server in MultiMaster
> configuration with the existing DS Server? 
>   
Password sync will be a problem.  389 sends hashed passwords via 
replication.  AD does not like hashed passwords - it needs the clear text.
>   
>>> Another issue I have is that when users are disabled on the AD they are
>>> still active on the DS. An obvious workaround is to change the password
>>> of the disabled user so he can not use his account on AD but it would be
>>> nice if their is a solution to avoid this. Any ideas?
>>>   
>>>       
>> Regular 389 cannot do this, but freeipa has a winsync plugin that does 
>> sync account disabled status.
>>     
>
> I 've seen this freeipa solution in the past and triggered my interest.
> As soon as I find some time I will give it a try. Is it stable to use in
> a production environment?
>   
I think so, but ask the freeipa guys.
>   
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>   
>>>       
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>     
>
> Thanks again for the support
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

More information about the 389-users mailing list