Rich Megginson wrote: > Kenneth Holter wrote: >> Hi. >> >> >> We're using Windows sync on our (RedHat) directory server to fetch >> users from AD, and have a quick question about the UID attribute: It >> look to me like the UID attribute that linux ldap clients use for >> authentication, is a attribute created when one adds the posixaccount >> object class to the user object. In other words, when user "kenneth" >> is synced over from AD and I add the posixaccount object class, then >> the uid attribute is automatically created and populated with uid >> value "kenneth" from some (which one? "name"? "cn"?) AD attribute. Is >> this correct? > Yes. The AD attribute samAccountName is used to populate the uid > attribute on 389. >> If so, can I assume that making changes to the uid attribute will not >> be reflected on the AD side? > I'm not sure. uid and samAccountName are "special" attributes - not > sure if they are synced - you could try it I suppose. We normally see the following: 1. AD Account created 2. FreeIPA winsync sees the new account and creates a new user based on the samAccountName (so the uid value is = to samaccountname AND ntuserdomainid=samaccountname) 3. winsync runs again and the uid attribute is written to the AD record. 4. if you change the uid in freeipa, winsync will change the uid value for the AD record, but not the samaccountname. 5. if you change the ntuserdomainid in freeipa, then the account will no longer sync. (So make sure you change the samaccountname in AD next.) >> >> >> Best regards, >> Kenneth Holter >> >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
