Theodotos Andreou wrote: > Hi Rich, > > Thanks for the reply! > > On Thu, 2010-02-11 at 08:19 -0700, Rich Megginson wrote: > >> Theodotos Andreou wrote: >> >>> Guys I' ve seen this warning on the 8.1 Administration Guide: >>> >>> WARNING >>> There can only be a single sync agreement between the Directory Server >>> environment and the Active Directory environment. Multiple sync >>> agreements to the same Active Directory domain can create entry >>> conflicts. >>> dc=example,dc=com >>> Ref: >>> http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html >>> >>> In my scenario I have many OUs under the AD synchronized subtree eg >>> ou=dep1,dc=example,dc=com , ou=dep2,dc=example,dc=com , etc. I tried to >>> synchronize the whole subtree dc=example,dc=com to the respective tree >>> on DS but this fails due to schema incompatibilities. >>> >> Can you be more specific? What schema? Do you have any error messages >> to post? >> > > When I created a sync agreement between cn=Users,dc=example,dc=com on AD > and cn=People,dc=example,dc=com on DS everything worked fine. When I > tried to do the same with dc=example,dc=com on both servers none of the > child OUs got replicated and I got errors similar to this: > > [12/Jan/2010:08:01:57 +0200] - add value "pre_user2" to attribute type > "sn" in entry "uid=pre_user2,ou=People, dc=lim, dc=example, dc=com" > failed: duplicate new value. > > I assumed that the reason is that you can not have full replication > between AD and DS in the same way we can have between two DS Servers. > That's why we compromise with a user/group/sync solution between AD and > DS. Isn't schema incompatibilities between AD and DS that cause this. No, this particular issue is probably due somehow to the DN mapping. > Is > it possible to have true replication between them? > Maybe samba4 will be able to do this. > > >>> So I created one >>> sync agreement per OU and it seems to be working as expected in my test >>> environment. What that warning above is all about? >>> >> It means you can't have multi master between more than one directory >> server and more than one AD. >> >> See https://bugzilla.redhat.com/show_bug.cgi?id=182515 and >> https://bugzilla.redhat.com/show_bug.cgi?id=184155 >> >>> What could possibly >>> go wrong if you use multiple sync agreements. How can there be entry >>> conflicts if each synchronized subtree is different from the other? >>> >>> >> In your case it should be fine because you have one directory server and >> one AD. >> > > I am using 1 AD that is configured to have one way sync to 1 DS Server. > I guess this should not be a problem with multiple agreements right? > Should not be a problem. > Will there be a problem if I add another DS Server in MultiMaster > configuration with the existing DS Server? > Password sync will be a problem. 389 sends hashed passwords via replication. AD does not like hashed passwords - it needs the clear text. > >>> Another issue I have is that when users are disabled on the AD they are >>> still active on the DS. An obvious workaround is to change the password >>> of the disabled user so he can not use his account on AD but it would be >>> nice if their is a solution to avoid this. Any ideas? >>> >>> >> Regular 389 cannot do this, but freeipa has a winsync plugin that does >> sync account disabled status. >> > > I 've seen this freeipa solution in the past and triggered my interest. > As soon as I find some time I will give it a try. Is it stable to use in > a production environment? > I think so, but ask the freeipa guys. > >>> -- >>> 389 users mailing list >>> 389-users at lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >>> >> -- >> 389 users mailing list >> 389-users at lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > > Thanks again for the support > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users >