Saturday, December 16, 2023

[389-users] AD replication with pre-existing groups and user accounts

Hi all,
I recently switched from an old Solaris LDAP to 389 Directory Server,
version 2.0.15.
The Solaris LDAP server also did a synchronization of accounts and
groups to Active Directory,
so there are already many users and groups existing which I imported to
the 389 server.

Concerning the Active Directory synchronization part I am now struggling
a bit.
It would probably be cleanest to remove the old AD user and group
accounts which have been created from Solaris LDAP
such that the 389 DS will create them all anew.
Nevertheless, this attempt was leading to storage access and login
problems for the newly synchronized accounts as Active Directory
assigned new SIDs after the sync and so the storage permissions for home
and other data storage shares got broken. No newly synced user
was able to access their data any more.
So, this procedure is not really an option, as we cannot reset
permissions on all storage servers.

Would it be possible instead to link the 389 DS accounts to the existing
accounts in Active Directory which
were created from the Solaris LDAP server somehow?
Is there e.g. an attribute in the accounts which can be added to
establish a link between 389 and AD accounts?
Currently, these existing accounts seem to be simply skipped by the AD
sync process.

Any hint on this is highly appreciated!

Thank you and best regards,
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:

No comments:

Post a Comment