On 07/05/2012 03:52 PM, Orion Poplawski wrote:
On 07/03/2012 10:49 AM, Rich Megginson wrote:
On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD
server.
Our LDAP server also serves a samba domain for one of our offices.
As a
result we have Domain Admins and Domain Computers groups for the samba
domain that we don't want to conflict with the AD groups of the same
names.
So it seems like we should move the samba domain groups into a
different
part of the tree. But we would still want to have a common shared
group
area that is visible by all. Any suggestions as to how to achieve
this?
Unless AD stores these groups in a different place in the tree, not
in the
scope of other groups, I don't think it is possible with 389. Please
file a
ticket.
Is there some way to make a specific subtree (e.g.
ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that
sub-tree plus entries (but not sub-trees) in the parent node
(ou=Groups,dc=nwra,dc=com)?
No, not that I know of. I suppose you could try doing an ldapmodrdn
operation to move those groups in the 389 side from ou=groups to ou=cora
- but I don't know what will happen if winsync tries to sync those
changes back to AD.
That was the different domains could point to their specific sub-tree
for private entries but still share some. I guess the common
directory doesn't need to be the parent, which might make it easier.
Hmm - if you move them (as described above), you can't share them.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
