[389-users] Syncing AD groups and multiple (samba) domains

Orion Poplawski orion at cora.nwra.com
Fri Jul 6 16:30:57 UTC 2012 

On 07/05/2012 03:57 PM, Rich Megginson wrote:
> On 07/05/2012 03:52 PM, Orion Poplawski wrote:
>> On 07/03/2012 10:49 AM, Rich Megginson wrote:
>>> On 07/03/2012 10:45 AM, Orion Poplawski wrote:
>>>> We are looking to sync our groups between our ldap server and an AD server.
>>>> Our LDAP server also serves a samba domain for one of our offices. As a
>>>> result we have Domain Admins and Domain Computers groups for the samba
>>>> domain that we don't want to conflict with the AD groups of the same names.
>>>>
>>>> So it seems like we should move the samba domain groups into a different
>>>> part of the tree.  But we would still want to have a common shared group
>>>> area that is visible by all.  Any suggestions as to how to achieve this?
>>>
>>> Unless AD stores these groups in a different place in the tree, not in the
>>> scope of other groups, I don't think it is possible with 389. Please file a
>>> ticket.
>>>
>>
>> Is there some way to make a specific subtree (e.g.
>> ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that sub-tree
>> plus entries (but not sub-trees) in the parent node (ou=Groups,dc=nwra,dc=com)?
>
> No, not that I know of.  I suppose you could try doing an ldapmodrdn operation
> to move those groups in the 389 side from ou=groups to ou=cora - but I don't
> know what will happen if winsync tries to sync those changes back to AD.
>
>>
>> That was the different domains could point to their specific sub-tree for
>> private entries but still share some.  I guess the common directory doesn't
>> need to be the parent, which might make it easier.
>>
> Hmm - if you move them (as described above), you can't share them.

I'm trying to implement it using aliases but that doesn't seem to be working. 
  I created:

dn: aliasedobjectname=ou\3DGroups\2Cdc\3Dnwra\2Cdc\3Dcom,ou=Groups,dc=cora,dc=
  nwra,dc=com
aliasedObjectName: ou=Groups,dc=nwra,dc=com
objectClass: top
objectClass: alias

to try to link in the common Groups under a private subtree, but ldapsearch 
just returns the alias object instead of traversing to 
ou=Groups,dc=nwra,dc=com.  This doesn't seems to be correct.  Does 389-server 
support aliases?

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the 389-users mailing list