[389-users] 389 and AD group sync

Rich Megginson rmeggins at redhat.com
Thu Feb 28 14:14:02 UTC 2013 

On 02/28/2013 04:05 AM, Vesa Alho wrote:
> Hi,
>
> I'm having problems with syncing groups from 389 to AD. I wrote about 
> this earlier but made some more testing.
>
> Using the latest EPEL6 stable:
> 389-ds-base-1.2.10.12-1.el6.x86_64
> 389-ds-1.2.2-1.el6.noarch
>
> AD: 2008 R2 64-bit
>
> ========
> Group description
> # testgroup, People, domain.com
> dn: cn=testgroup,ou=People,dc=domain,dc=com
> ntGroupCreateNewGroup: on

The value should be TRUE

Looks like we have a doc bug.
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html

12.4.4.1. Configuring Group Sync in the Console
The Console UI section says to use a value of "on".  This is wrong.

12.4.4.2. Configuring Group Sync in the Command Line
This says to use a value of "true".  This will work, although it should 
be "TRUE".

And the command line docs should use - in the LDIF to separate each mod.

Please file a bug.

> description: testroup
> objectClass: top
> objectClass: groupofuniquenames
> objectClass: ntgroup
> uniqueMember: uid=user1,ou=People,dc=domain,dc=com
> ntUserDomainId: testgroup
> ===========
> Replication log snippet follows:
> NSMMReplicationPlugin - agmt="cn=adtestsync" (adtest:636): 
> windows_replay_update: Processing add operation local 
> dn="cn=testgroup,ou=People,dc=domain,dc=com" remote 
> dn="cn=testgroup,cn=Users,dc=domain,dc=com"
>
> NSMMReplicationPlugin - agmt="cn=adtestsync" (adtest:636): 
> process_replay_add: dn="cn=testgroup,cn=Users,dc=domain,dc=com" (not 
> present,add not allowed)

"add not allowed" - this means one or more of the following:
*

> =============
>
> Group sync works correctly when I initiate manual Full resync. This 
> means AD sync user must have proper permissions.
>
> Bottom line, incremental group sync doesn't work. Only clue is that 
> log message "not present,add not allowed". Any ideas or some known bug?
>
> -Mr. Vesa Alho
> -- 
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list