> On 8 Dec 2021, at 04:02, Caderize Caderize <caderize@gmail.com> wrote:
>
> Thanks for your analysis.
> I've got it worked and i've found a problem in AD DN plugin.
> The filter was evaluating only objectClass=nsAccount.
> However your PAM config is for sure better than my, and i must confess i'm not a PAM guru. This will be a change to make a better understanding about the module by me.
>
> Regarding my second question which i summarize here:
>
> Once solved this issue, i think it would be better to sync AD user that belongs to
> specific AD Group in order to have a ore control over it instead of defining a specific
> OU.
> I've seen a page wich reports the existence of "Support Filters":
> https://directory.fedoraproject.org/docs/389ds/design/winsync-rfe.html#2-support-filters-1
> And it says:
> new config parameters in windwows sync agreement:
> winSyncWindowsFilter: additional_filter_on_AD
> winSyncDirectoryFilter: additional_filter_on_DS
> Example:
> winSyncWindowsFilter: (|(cn=*user*)(cn=*group*))
> winSyncDirectoryFilter: (|(uid=*user*)(cn=*group*))
>
> Anyway it is not clear if my installed version support this feature
>
> 389-Directory/1.4.4.11 B2021.139.1122
I think it should be supported.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/win-sync
You need to create an OR filter that describes the set of users AND groups you want to sync for the "--win-filter" setting in this case.
>
>
> If you could hekp also on this it will be really appreciate.
> Many Thanks
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
No comments:
Post a Comment