Re: Syncing AD groups and multiple (samba) domains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/05/2012 03:57 PM, Rich Megginson wrote:

On 07/05/2012 03:52 PM, Orion Poplawski wrote:

On 07/03/2012 10:49 AM, Rich Megginson wrote:

On 07/03/2012 10:45 AM, Orion Poplawski wrote:

We are looking to sync our groups between our ldap server and an AD server.
Our LDAP server also serves a samba domain for one of our offices. As a
result we have Domain Admins and Domain Computers groups for the samba
domain that we don't want to conflict with the AD groups of the same names.

So it seems like we should move the samba domain groups into a different
part of the tree.  But we would still want to have a common shared group
area that is visible by all.  Any suggestions as to how to achieve this?


Unless AD stores these groups in a different place in the tree, not in the
scope of other groups, I don't think it is possible with 389. Please file a
ticket.



Is there some way to make a specific subtree (e.g.
ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that sub-tree
plus entries (but not sub-trees) in the parent node (ou=Groups,dc=nwra,dc=com)?


No, not that I know of.  I suppose you could try doing an ldapmodrdn operation
to move those groups in the 389 side from ou=groups to ou=cora - but I don't
know what will happen if winsync tries to sync those changes back to AD.



That was the different domains could point to their specific sub-tree for
private entries but still share some.  I guess the common directory doesn't
need to be the parent, which might make it easier.


Hmm - if you move them (as described above), you can't share them.
I'm trying to implement it using aliases but that doesn't seem to be working. I created: 

dn: aliasedobjectname=ou\3DGroups\2Cdc\3Dnwra\2Cdc\3Dcom,ou=Groups,dc=cora,dc=
 nwra,dc=com
aliasedObjectName: ou=Groups,dc=nwra,dc=com
objectClass: top
objectClass: alias
to try to link in the common Groups under a private subtree, but ldapsearch just returns the alias object instead of traversing to ou=Groups,dc=nwra,dc=com. This doesn't seems to be correct. Does 389-server support aliases? 

--
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion@xxxxxxxx
Boulder, CO 80301                   http://www.nwra.com


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux