Erling Ringen Elvsrud wrote: > On 11/10/08, Rich Megginson <rmeggins at redhat.com> wrote: > [...] > >> Could be. The bind user used by windows sync must have read and write >> rights to the AD subtree. >> > > If I have for instance, > > ou=Linux,ou=delegation,dc=foo, dc=bar, dc=baz in AD > > and in the synchronization agreement the > "Windows subtree" value is: > ou=Linux,ou=delegation,dc=foo, dc=bar, dc=baz > > I have tried to limit the write-permissions for the binding-user to > only ou=Linux, but that causes synchronization to fail. > > In which parts of the AD-tree does the binding-user need write access? > Does it need write access in dc=foo and all siblings? > For read access - see http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and http://support.microsoft.com/kb/891995 for more information about how the DirSync Search works. For write access - should only need access to ou=Linux > Thanks again, > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
