Hello, I am interested in knowing if anyone is using the PassSync functionality in only one direction, making the Fedora-DS a consumer only to the Active Directory server. I am only interested in populating the Fedora-DS with the user account information and passwords; there is no need for me to go in the other direction. With that in mind, would I still create a ''Single Master'' replication configuration or is there an alternate method since the Fedora-DS is really only the consumer and not a supplier? My guess is that a ''Single Master'' configuration will still have to be created since the winsync code builds off the replication plug-in. If it turns out that the Fedora-DS must be a supplier, is there any method to stop the Fedora-DS from expecting the Active Directory system to have correctly sync''d databases? Other than the functionality of pushing passwords and accounts from my Fedora-DS system not being needed (in fact the AD server group will only allow my Fedora-DS to pull and not update) I am hoping that this could fix the "db vector errors" from occurring. Any suggestions from the Fedora-DS veterans'' out there? Thanks
Scott Boggs wrote:> I am interested in knowing if anyone is using the PassSync > functionality in only one direction, making the Fedora-DS a consumer > only to the Active Directory server. I am only interested in > populating the Fedora-DS with the user account information and > passwords; there is no need for me to go in the other direction. With > that in mind, would I still create a ''Single Master'' replication > configuration or is there an alternate method since the Fedora-DS is > really only the consumer and not a supplier? My guess is that a > ''Single Master'' configuration will still have to be created since the > winsync code builds off the replication plug-in. If it turns out that > the Fedora-DS must be a supplier, is there any method to stop the > Fedora-DS from expecting the Active Directory system to have correctly > sync''d databases? > > >If you _only_ need passwords propagated from AD to FDS, then you can simply install only the PassSync service, and not configure any WinSync replication agreement. If you need that plus inbound sync updates from AD to FDS (e.g. new users, non-password attribute changes), then you can achieve the desired functionality only with a code change. It''d be a very simple code change I think though : just find the place where changelog records are read and processed for sending to AD. Comment out that code. I can''t think of a reason why disabling outbound updates would break any of the inbound functionality, but I''ve only thought about it for a few minutes...
Great, I will have to look into it. when you say code change, are you speaking withing the replication plug-in? Thanks again.
Scott Boggs wrote:>Great, I will have to look into it. when you say code change, are you speaking >withing the replication plug-in? Thanks again. > > >Here: http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/plugins/replication/windows_inc_protocol.c#1262 Line 1263 is the call to windows_replay_update(). I think that if you comment out that call (or better add configuration infrastructure to allow it to be enabled or disabled from a flag in the agreement : try commenting out first...) then you should get the desired behavior.