[389-users] 389 and AD group sync
Vesa Alho
listat at alho.fi
Thu Feb 28 11:05:29 UTC 2013
Hi,
I'm having problems with syncing groups from 389 to AD. I wrote about
this earlier but made some more testing.
Using the latest EPEL6 stable:
389-ds-base-1.2.10.12-1.el6.x86_64
389-ds-1.2.2-1.el6.noarch
AD: 2008 R2 64-bit
========
Group description
# testgroup, People, domain.com
dn: cn=testgroup,ou=People,dc=domain,dc=com
ntGroupCreateNewGroup: on
description: testroup
objectClass: top
objectClass: groupofuniquenames
objectClass: ntgroup
uniqueMember: uid=user1,ou=People,dc=domain,dc=com
ntUserDomainId: testgroup
===========
Replication log snippet follows:
NSMMReplicationPlugin - agmt="cn=adtestsync" (adtest:636):
windows_replay_update: Processing add operation local
dn="cn=testgroup,ou=People,dc=domain,dc=com" remote
dn="cn=testgroup,cn=Users,dc=domain,dc=com"
NSMMReplicationPlugin - agmt="cn=adtestsync" (adtest:636):
process_replay_add: dn="cn=testgroup,cn=Users,dc=domain,dc=com" (not
present,add not allowed)
=============
Group sync works correctly when I initiate manual Full resync. This
means AD sync user must have proper permissions.
Bottom line, incremental group sync doesn't work. Only clue is that log
message "not present,add not allowed". Any ideas or some known bug?
-Mr. Vesa Alho
More information about the 389-users
mailing list