Mikael Kermorgant
2006-Oct-28 22:49 UTC
[Fedora-directory-users] password sync with 2 AD domains
Hello, I''ve read about password sync between Active Directory and Fedora Directory Server. In my environment, there is one global LDAP server built upon FDS, and two Active directory domains. Is there any hope to get password sync between FDS and both Active Directory domains or is this feature limited to one Active Directory domain ? Thanks in advance, -- Mikael Kermorgant
David Boreham
2006-Oct-29 14:17 UTC
Re: [Fedora-directory-users] password sync with 2 AD domains
Mikael Kermorgant wrote:> I''ve read about password sync between Active Directory and Fedora > Directory Server. > > In my environment, there is one global LDAP server built upon FDS, and > two Active directory domains. > Is there any hope to get password sync between FDS and both Active > Directory domains or is this feature limited to one Active Directory > domain ?This should work IF and only if you have all the users for each AD domain in their own DIT container in FDS. If you want to mingle all the users in the same container, it won''t work.
Mikael Kermorgant
2006-Oct-29 15:34 UTC
Re: [Fedora-directory-users] password sync with 2 AD domains
2006/10/29, David Boreham <david_list@boreham.org>:> Mikael Kermorgant wrote: > > > I''ve read about password sync between Active Directory and Fedora > > Directory Server. > > > > In my environment, there is one global LDAP server built upon FDS, and > > two Active directory domains. > > Is there any hope to get password sync between FDS and both Active > > Directory domains or is this feature limited to one Active Directory > > domain ? > > This should work IF and only if you have all the users for each AD > domain in their own DIT container in FDS. If you want to mingle all > the users in the same container, it won''t work.Is there any hope that a virtual view would be enough ? I have indeed a single ou for all the users in FDS. Regards, -- Mikael Kermorgant
David Boreham
2006-Oct-29 16:05 UTC
Re: [Fedora-directory-users] password sync with 2 AD domains
> Is there any hope that a virtual view would be enough ? I have indeed > a single ou for all the users in FDS.Not without code changes, I don''t think so. The code uses certain criteria to determine if a given entry ''belongs'' in the target AD. It can support multiple AD domains (create multiple sync agreements). However the criteria are : correct object class, and correct subtree. Therefore your entries would match for both agreements and hence get sync''ed to both AD domains, which is not what you want. The ''fix'' would be to store the domain name in the entry (possibly this is already done, I can''t remember), and then add that to the criteria for syncing.