[389-users] Syncing AD groups and multiple (samba) domains

Fri Jul 6 16:30:54 UTC 2012

On 07/06/2012 10:30 AM, Orion Poplawski wrote:
> On 07/05/2012 03:57 PM, Rich Megginson wrote:
>> On 07/05/2012 03:52 PM, Orion Poplawski wrote:
>>> On 07/03/2012 10:49 AM, Rich Megginson wrote:
>>>> On 07/03/2012 10:45 AM, Orion Poplawski wrote:
>>>>> We are looking to sync our groups between our ldap server and an 
>>>>> AD server.
>>>>> Our LDAP server also serves a samba domain for one of our offices. 
>>>>> As a
>>>>> result we have Domain Admins and Domain Computers groups for the 
>>>>> samba
>>>>> domain that we don't want to conflict with the AD groups of the 
>>>>> same names.
>>>>>
>>>>> So it seems like we should move the samba domain groups into a 
>>>>> different
>>>>> part of the tree.  But we would still want to have a common shared 
>>>>> group
>>>>> area that is visible by all.  Any suggestions as to how to achieve 
>>>>> this?
>>>>
>>>> Unless AD stores these groups in a different place in the tree, not 
>>>> in the
>>>> scope of other groups, I don't think it is possible with 389. 
>>>> Please file a
>>>> ticket.
>>>>
>>>
>>> Is there some way to make a specific subtree (e.g.
>>> ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that 
>>> sub-tree
>>> plus entries (but not sub-trees) in the parent node 
>>> (ou=Groups,dc=nwra,dc=com)?
>>
>> No, not that I know of.  I suppose you could try doing an ldapmodrdn 
>> operation
>> to move those groups in the 389 side from ou=groups to ou=cora - but 
>> I don't
>> know what will happen if winsync tries to sync those changes back to AD.
>>
>>>
>>> That was the different domains could point to their specific 
>>> sub-tree for
>>> private entries but still share some.  I guess the common directory 
>>> doesn't
>>> need to be the parent, which might make it easier.
>>>
>> Hmm - if you move them (as described above), you can't share them.
>
> I'm trying to implement it using aliases but that doesn't seem to be 
> working.  I created:
>
> dn: 
> aliasedobjectname=ou\3DGroups\2Cdc\3Dnwra\2Cdc\3Dcom,ou=Groups,dc=cora,dc=
>  nwra,dc=com
> aliasedObjectName: ou=Groups,dc=nwra,dc=com
> objectClass: top
> objectClass: alias
>
> to try to link in the common Groups under a private subtree, but 
> ldapsearch just returns the alias object instead of traversing to 
> ou=Groups,dc=nwra,dc=com.  This doesn't seems to be correct.  Does 
> 389-server support aliases?
>
No, 389 does not support aliases.