Erling Ringen Elvsrud wrote: > Hello list, > > According to the RHDS Administration Guide in the chapter on > Windows Sync(page 531): > > "The membership of groups is synchronized with the constraint that > only those members that are also within the scope of the agreement are > propagated" > (note that I did not read this before the test) > > I have tried the following: > > In AD I have: > > ou=LinuxUsers > ou=LinuxGroups > > I have configured two separate synchronization agreements in RHDS, one > that populate ou=People from ou=LinuxUsers in AD and one that > populate ou=Groups from ou=LinuxGroups in AD. > > The synchronization works, and after it is complete I use ldapsearch > on ou=Groups in RHDS and ou=LinuxGroups in AD and the > member-attributes is indeed missing on the RHDS side. > > So, in order to keep group-membership I need to synchronize the parent ou of > both users and groups. So something like > ou=LinuxUsers,ou=Linux, dc=... and > ou=LinuxGroups, ou=Linux, dc=... must be created in AD, and in the > synchronization agreement I will sync ou=Linux and get both users and groups. > The alternative is to synchronize with the current parrent of > LinuxUsers and LinuxGruops. > > Is this correct? > > Do you know why this "limitation" exists? > I think it is a side effect of the way the AD DirSync control works - it applies to the domain suffix (dc=company,dc=com) and all sub containers (OUs, CNs) under that suffix. It does not apply only to specific subtrees under the domain suffix. http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx http://support.microsoft.com/kb/891995 > Thanks > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
