ok guess I got it
configured the sync agreement on the root suffix
(389) dc=domain,dc=com <==> (AD) cd=domain,dc=com
this seems to do the trick as long as the OU structure matches
Gesendet: Sonntag, 25. Mai 2014 um 23:22 Uhr
Von: "Christian Zimmermann" <chris612@gmx.de>
An: 389-users@lists.fedoraproject.org
Betreff: Re: [389-users] winsync - group membership and different ou's
Von: "Christian Zimmermann" <chris612@gmx.de>
An: 389-users@lists.fedoraproject.org
Betreff: Re: [389-users] winsync - group membership and different ou's
users in the ad are most of the time organized in ou's because of gpo's that should applie to that user
so "distributed" users are common.
do I really have to keep the groups manually in sync?
cheers
christian
Gesendet: Sonntag, 25. Mai 2014 um 22:52 Uhr
Von: "DuWayne Holsbeck" <drh@niptron.com>
An: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org>, "Christian Zimmermann" <chris612@gmx.de>
Betreff: Re: [389-users] winsync - group membership and different ou's
Von: "DuWayne Holsbeck" <drh@niptron.com>
An: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org>, "Christian Zimmermann" <chris612@gmx.de>
Betreff: Re: [389-users] winsync - group membership and different ou's
that's what I found, I synced the DS to the AD root suffix and everything seems to work fine. As long as AD and DS users and groups use the same OU structure. Users and Groups on DS and AD are in the same OUs. Your milage may very.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
On May 25, 2014 3:08:42 PM CDT, Christian Zimmermann <chris612@gmx.de> wrote:
HI everybody,I'm using 389 with our AD (2k8) to sync users and groups.Basically everything works, except the group membership of users that are notin the same OU as the group.Memberships of users that are in test_ou01 will not getting synced if the group is in test_ou02.The Membership gets synced if the user and the group he belongs to are in the same ou.Is this a limitation of the winsync agreement or am I missing something?cheerschristian
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
No comments:
Post a Comment