https://fedorahosted.org/389/ticket/47327 https://fedorahosted.org/389/attachment/ticket/47327/0001-Ticket-47327-error-syncing-group-if-group-member-use.patch Bug description: Windows Sync synchronizes member attributes in a group entry if the member entry itself is synchronized. The entries in the sync scope are basically to be synchronized. But there is an exception such as a container in the scope is not synchronized due to the objecttype constraints. Such an unsync'ed entry could have users in it. Users are the target of Windows Sync. But since the parent container is not synch- ronized, the users in the container are not, neither. If a group contains such special user as a member, synchronization failed there and the other normal members are failed to get synchronized. Fix description: Windows Sync has a helper function is_subject_of_agreement_remote, which checks if the entry is in the scope to be synchronized. This patch adds the check if the checking entry's parent locally exists in the DS. If it does not exist, it considers the entry is out of scope. AD strictly checks if the entry exists prior to adding it to a group entry as a member. That is, a member to be added is supposed to be in the server, as well as its parent is. With this change, the AD user which is not synchronized to the DS is just skipped to add to the group in the DS in the same manner as an user out of scope is. This fix proposal is a bit different from the discussion on the ticket 47327. I thought it is straightforward that we handle the in-scope but not-sync'ed DN in the same way as out-of-scope DN. -- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-devel
