Hello,
I am interested in knowing if anyone is using the PassSync functionality in only one direction, making the Fedora-DS a consumer only to the Active Directory server. I am only interested in populating the Fedora-DS with the user account information and passwords; there is no need for me to go in the other direction. With that in mind, would I still create a 'Single Master' replication configuration or is there an alternate method since the Fedora-DS is really only the consumer and not a supplier? My guess is that a 'Single Master' configuration will still have to be created since the winsync code builds off the replication plug-in. If it turns out that the Fedora-DS must be a supplier, is there any method to stop the Fedora-DS from expecting the Active Directory system to have correctly sync'd databases?
Other than the functionality of pushing passwords and accounts from my Fedora-DS system not being needed (in fact the AD server group will only allow my Fedora-DS to pull and not update) I am hoping that this could fix the "db vector errors" from occurring.
Any suggestions from the Fedora-DS veterans' out there? Thanks
Scott Boggs wrote:
Hello,
I am interested in knowing if anyone is using the PassSync functionality in only one direction, making the Fedora-DS a consumer only to the Active Directory server. I am only interested in populating the Fedora-DS with the user account information and passwords; there is no need for me to go in the other direction. With that in mind, would I still create a ‘Single Master’ replication configuration or is there an alternate method since the Fedora-DS is really only the consumer and not a supplier? My guess is that a ‘Single Master’ configuration will still have to be created since the winsync code builds off the replication plug-in. If it turns out that the Fedora-DS must be a supplier, is there any method to stop the Fedora-DS from expecting the Active Directory system to have correctly sync’d databases?
Other than the functionality of pushing passwords and accounts from my Fedora-DS system not being needed (in fact the AD server group will only allow my Fedora-DS to pull and not update) I am hoping that this could fix the “db vector errors” from occurring.
What "db vector errors"? Are these coming from Fedora DS?
Any suggestions from the Fedora-DS veterans’ out there? Thanks
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Scott Boggs wrote:
I am interested in knowing if anyone is using the PassSync functionality in only one direction, making the Fedora-DS a consumer only to the Active Directory server. I am only interested in populating the Fedora-DS with the user account information and passwords; there is no need for me to go in the other direction. With that in mind, would I still create a 'Single Master' replication configuration or is there an alternate method since the Fedora-DS is really only the consumer and not a supplier? My guess is that a 'Single Master' configuration will still have to be created since the winsync code builds off the replication plug-in. If it turns out that the Fedora-DS must be a supplier, is there any method to stop the Fedora-DS from expecting the Active Directory system to have correctly sync'd databases?
If you _only_ need passwords propagated from AD to FDS, then you can simply install only the PassSync service, and not configure any WinSync replication agreement.
If you need that plus inbound sync updates from AD to FDS (e.g. new users, non-password attribute changes), then you can achieve the desired functionality only with a code change. It'd be a very simple code change I think though : just find the place where changelog records are read and processed for sending to AD. Comment out that code. I can't think of a reason why disabling outbound updates would break any of the inbound functionality, but I've only thought about it for a few minutes...
Great, I will have to look into it. when you say code change, are you speaking withing the replication plug-in? Thanks again.
Scott Boggs wrote:
Great, I will have to look into it. when you say code change, are you speaking withing the replication plug-in? Thanks again.
Here: http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/plugi...
Line 1263 is the call to windows_replay_update(). I think that if you comment out that call (or better add configuration infrastructure to allow it to be enabled or disabled from a flag in the agreement : try commenting out first...) then you should get the desired behavior.
389-users@lists.fedoraproject.org