[389-users] Filtered replication from AD?

[Colin Panisset]

We have two separate directory environments at present, one 389-ds 
(389-ds-base-1.2.10.2-20.el6_3.x86_64) and one AD based on W2k8.

We would like to be able to replicate user entries, password changes, 
and employee terminations from AD to 389-ds but, because the 389-ds 
environment is a restricted subset, we don't want all new users in the 
AD domain to automatically appear in 389-ds.

I've seen https://fedorahosted.org/389/ticket/460 which looks like it 
would do the job, but the milestone is 1.3.2 which is a ways off.

The suffixes in use by the different directory servers are different -- 
one is dc=example,dc=com and the other is dc=otherplace,dc=com

Complicating the matter is that the two directories are managed by 
different OUs in the same company.

Other than referrals, is there some way to copy/replicate attributes 
from one suffix to another, or to change the suffix during a replication?

Fractional replication uses the filter '(objectclass=*)' prior to the $ 
EXCLUDE but would it be possible to extend that to cover a smaller 
subset of entries? We're not interested in replicating from 389-ds back 
to AD at this point.

-- 
Colin Panisset
Senior Systems Engineer, REA Group
Ph: +61 (0)3 8456 4636 Mb: +61 (0) 457 788 259