John A. Sullivan III wrote: > Hello, all. I know one can only have one sync agreement with an AD. > However, is it possible to have a sync agreement with multiple ADs. We > would like to synchronize the top of our tree with our main, > multi-tenant AD and then synchronize lower levels of the domains with > separate domains controlled by our clients. Thus, the same users and > groups are synchronized to two different AD trees. > > As much as we dearly want this to work, I think it is asking for trouble > as the GUID from AD is passed back to LDAP as part of the > synchronization. Since these GUIDs will be different for the same user > from different AD trees, is this a problem? > > I know that sounds a bit convoluted so let me give an example. I have a > user Joe in LDAP. I synchronize him to MyAD so he is MyAD\Joe. I also > synchronize him to TheirAD so he is also TheirAD\Joe. The GUID for MyAD > \Joe is different from the GUID for TheirAD\Joe even though it is the > same LDAP Joe. Is that a problem? Thanks - John > Yes, the sync key is the ntUniqueID == AD objectGUID Yes, it will be a problem, if you want the single account in RHDS to sync to both accounts in AD. > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users >
