[389-users] What to do about windows sync when AD entries move out of scope
Mark Reynolds
mareynol at redhat.com
Wed Aug 22 20:33:00 UTC 2012
On 08/22/2012 04:31 PM, Mark Reynolds wrote:
>
>
> On 08/22/2012 04:23 PM, Rich Megginson wrote:
>> On 08/22/2012 02:18 PM, Mark Reynolds wrote:
>>>
>>>
>>> On 08/22/2012 04:09 PM, Rich Megginson wrote:
>>>> Let's say you have a windows sync agreement
>>>> AD: cn=Users,dc=example,dc=com
>>>> DS: ou=People,dc=example,dc=com
>>>>
>>>> Let's say you also have another user container in AD:
>>>> cn=OtherUsers,dc=example,dc=com
>>>>
>>>> Let's say you have a user in AD in cn=Users in sync with a user in
>>>> DS in ou=People.
>>>>
>>>> What should happen if you move the user in AD from cn=Users to
>>>> cn=OtherUsers? Should DS "disconnect" the entry (i.e. remote the
>>>> ntuser attributes) so the entry is no longer in sync? Should
>>>> winsync do something else?
>>> Is it feasible to "mark" the entry as moved, or placed it in some
>>> kind of list, and then use a config option on whether to keep it in
>>> sync or not?
>>
>> When we receive the AD entry in a search request, we will know if
>> there is a DS entry with the same userid, and whether or not the DS
>> entry is in sync (i.e. has the ntuser attributes).
>>
>> Not sure what you mean by "mark" - maybe add some sort of attribute
>> to the DS entry that says "hey, this entry has the same userid as an
>> entry in AD but the AD entry is out of scope of the winsync agreement
>> and/or the DS entry is not set up to be a winsync entry"?
> Yes, exactly. Maybe something like: "winsyncPreviousScope:
> cn=People, dc=example,dc=com"?
I meant: "winsyncPreviousScope: cn=Users, dc=example,dc=com"
>>
>>>>
>>>> Conversely, what should happen if a user is moved from
>>>> cn=OtherUsers to cn=Users? Should DS treat it as adding a new user
>>>> or "connect" an existing user if the userids match?
>>> Depending if it is "marked" or not, we would know what to do with it.
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>
--
Mark Reynolds
Senior Software Engineer
Red Hat, Inc
mreynolds at redhat.com
More information about the 389-users
mailing list