Rich Megginson wrote:
Kenneth Holter wrote:
Hi.
We're using Windows sync on our (RedHat) directory server to fetch
users from AD, and have a quick question about the UID attribute: It
look to me like the UID attribute that linux ldap clients use for
authentication, is a attribute created when one adds the posixaccount
object class to the user object. In other words, when user "kenneth"
is synced over from AD and I add the posixaccount object class, then
the uid attribute is automatically created and populated with uid
value "kenneth" from some (which one? "name"? "cn"?) AD attribute. Is
this correct?
Yes. The AD attribute samAccountName is used to populate the uid
attribute on 389.
If so, can I assume that making changes to the uid attribute will not
be reflected on the AD side?
I'm not sure. uid and samAccountName are "special" attributes - not
sure if they are synced - you could try it I suppose.
We normally see the following:
1. AD Account created
2. FreeIPA winsync sees the new account and creates a new user based on
the samAccountName (so the uid value is = to samaccountname AND
ntuserdomainid=samaccountname)
3. winsync runs again and the uid attribute is written to the AD record.
4. if you change the uid in freeipa, winsync will change the uid value
for the AD record, but not the samaccountname.
5. if you change the ntuserdomainid in freeipa, then the account will no
longer sync. (So make sure you change the samaccountname in AD next.)
Best regards,
Kenneth Holter
------------------------------------------------------------------------
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
