I see. Thanks for the response. Do you know if it's possible to make use of the AD groups that are synced over to RHDS directly though, disregarding posix attributes that are not synced over? I mean, is it possible to get nss_ldap to work with the groups synced over from AD, without having to "convert" the groups to posix groups first? - Kenneth On Thu, Jan 14, 2010 at 4:46 PM, Rich Megginson <rmeggins at redhat.com> wrote: > Kenneth Holter wrote: > > Hi. > > > > > > We wish to sync our Red Hat Directory Server (RHDS) with Active > > Directory (AD), and would like our linux boxes to make use the groups > > defined on AD. Our current plan have been to recreate the AD groups as > > netgroups on the RHDS side, but recently I've been told that it is > > possible use the AD groups directly - only modifications necessary > > would be to set some attribute mappings in the nss_ldap module, and > > enable/configure the Subsystem for UNIX-based Applications (SUA) on > > the AD side. > > > > Has anyone here implemented this setup? > > > > Is is so that SUA is simply a schema extension to hold unix > > attributes, so essentially what happens when enabling SUA is that one > > on the AD side is able to define posix attributes, which in turn is > > synced over to RHDS by the Windows Sync plugin? > 389 Windows sync will not sync posix attributes at all, in either > direction, regardless of whether SUA/SFU is used. > > > > > > Best regards, > > Kenneth Holter > > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users at lists.fedoraproject.org > > https://admin.fedoraproject.org/mailman/listinfo/389-users > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100115/9e7a8990/attachment.html
