[389-users] Syncing AD groups and multiple (samba) domains

[Rich Megginson]

On 07/05/2012 03:52 PM, Orion Poplawski wrote:
> On 07/03/2012 10:49 AM, Rich Megginson wrote:
>> On 07/03/2012 10:45 AM, Orion Poplawski wrote:
>>> We are looking to sync our groups between our ldap server and an AD 
>>> server.
>>> Our LDAP server also serves a samba domain for one of our offices.  
>>> As a
>>> result we have Domain Admins and Domain Computers groups for the samba
>>> domain that we don't want to conflict with the AD groups of the same 
>>> names.
>>>
>>> So it seems like we should move the samba domain groups into a 
>>> different
>>> part of the tree.  But we would still want to have a common shared 
>>> group
>>> area that is visible by all.  Any suggestions as to how to achieve 
>>> this?
>>
>> Unless AD stores these groups in a different place in the tree, not 
>> in the
>> scope of other groups, I don't think it is possible with 389. Please 
>> file a
>> ticket.
>>
>
> Is there some way to make a specific subtree (e.g. 
> ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that  
> sub-tree plus entries (but not sub-trees) in the parent node 
> (ou=Groups,dc=nwra,dc=com)?

No, not that I know of.  I suppose you could try doing an ldapmodrdn 
operation to move those groups in the 389 side from ou=groups to ou=cora 
- but I don't know what will happen if winsync tries to sync those 
changes back to AD.

>
> That was the different domains could point to their specific sub-tree 
> for private entries but still share some.  I guess the common 
> directory doesn't need to be the parent, which might make it easier.
>
Hmm - if you move them (as described above), you can't share them.