Saturday, December 16, 2023

[389-users] AD replication with pre-existing groups and user accounts

Hi all,
I recently switched from an old Solaris LDAP to 389 Directory Server,
version 2.0.15.
The Solaris LDAP server also did a synchronization of accounts and
groups to Active Directory,
so there are already many users and groups existing which I imported to
the 389 server.

Concerning the Active Directory synchronization part I am now struggling
a bit.
It would probably be cleanest to remove the old AD user and group
accounts which have been created from Solaris LDAP
such that the 389 DS will create them all anew.
Nevertheless, this attempt was leading to storage access and login
problems for the newly synchronized accounts as Active Directory
assigned new SIDs after the sync and so the storage permissions for home
and other data storage shares got broken. No newly synced user
was able to access their data any more.
So, this procedure is not really an option, as we cannot reset
permissions on all storage servers.

Would it be possible instead to link the 389 DS accounts to the existing
accounts in Active Directory which
were created from the Solaris LDAP server somehow?
Is there e.g. an attribute in the accounts which can be added to
establish a link between 389 and AD accounts?
Currently, these existing accounts seem to be simply skipped by the AD
sync process.

Any hint on this is highly appreciated!

Thank you and best regards,
  Alex
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

No comments:

Post a Comment