> On 8 Dec 2021, at 04:02, Caderize Caderize <caderize@xxxxxxxxx> wrote: > > Thanks for your analysis. > I've got it worked and i've found a problem in AD DN plugin. > The filter was evaluating only objectClass=nsAccount. > However your PAM config is for sure better than my, and i must confess i'm not a PAM guru. This will be a change to make a better understanding about the module by me. > > Regarding my second question which i summarize here: > > Once solved this issue, i think it would be better to sync AD user that belongs to > specific AD Group in order to have a ore control over it instead of defining a specific > OU. > I've seen a page wich reports the existence of "Support Filters": > https://directory.fedoraproject.org/docs/389ds/design/winsync-rfe.html#2-support-filters-1 > And it says: > new config parameters in windwows sync agreement: > winSyncWindowsFilter: additional_filter_on_AD > winSyncDirectoryFilter: additional_filter_on_DS > Example: > winSyncWindowsFilter: (|(cn=*user*)(cn=*group*)) > winSyncDirectoryFilter: (|(uid=*user*)(cn=*group*)) > > Anyway it is not clear if my installed version support this feature > > 389-Directory/1.4.4.11 B2021.139.1122 I think it should be supported. https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/win-sync You need to create an OR filter that describes the set of users AND groups you want to sync for the "--win-filter" setting in this case. > > > If you could hekp also on this it will be really appreciate. > Many Thanks > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
