Theodotos Andreou wrote: > Guys I' ve seen this warning on the 8.1 Administration Guide: > > WARNING > There can only be a single sync agreement between the Directory Server > environment and the Active Directory environment. Multiple sync > agreements to the same Active Directory domain can create entry > conflicts. > > Ref: > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html > > In my scenario I have many OUs under the AD synchronized subtree eg > ou=dep1,dc=example,dc=com , ou=dep2,dc=example,dc=com , etc. I tried to > synchronize the whole subtree dc=example,dc=com to the respective tree > on DS but this fails due to schema incompatibilities. Can you be more specific? What schema? Do you have any error messages to post? > So I created one > sync agreement per OU and it seems to be working as expected in my test > environment. What that warning above is all about? It means you can't have multi master between more than one directory server and more than one AD. See https://bugzilla.redhat.com/show_bug.cgi?id=182515 and https://bugzilla.redhat.com/show_bug.cgi?id=184155 > What could possibly > go wrong if you use multiple sync agreements. How can there be entry > conflicts if each synchronized subtree is different from the other? > In your case it should be fine because you have one directory server and one AD. > Another issue I have is that when users are disabled on the AD they are > still active on the DS. An obvious workaround is to change the password > of the disabled user so he can not use his account on AD but it would be > nice if their is a solution to avoid this. Any ideas? > Regular 389 cannot do this, but freeipa has a winsync plugin that does sync account disabled status. > > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users >
