We are looking to sync our groups between our ldap server and an AD server. Our LDAP server also serves a samba domain for one of our offices. As a result we have Domain Admins and Domain Computers groups for the samba domain that we don't want to conflict with the AD groups of the same names.
So it seems like we should move the samba domain groups into a different part of the tree. But we would still want to have a common shared group area that is visible by all. Any suggestions as to how to achieve this?
Thanks!
On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD server. Our LDAP server also serves a samba domain for one of our offices. As a result we have Domain Admins and Domain Computers groups for the samba domain that we don't want to conflict with the AD groups of the same names.
So it seems like we should move the samba domain groups into a different part of the tree. But we would still want to have a common shared group area that is visible by all. Any suggestions as to how to achieve this?
Unless AD stores these groups in a different place in the tree, not in the scope of other groups, I don't think it is possible with 389. Please file a ticket.
Thanks!
On 07/03/2012 10:49 AM, Rich Megginson wrote:
On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD server. Our LDAP server also serves a samba domain for one of our offices. As a result we have Domain Admins and Domain Computers groups for the samba domain that we don't want to conflict with the AD groups of the same names.
So it seems like we should move the samba domain groups into a different part of the tree. But we would still want to have a common shared group area that is visible by all. Any suggestions as to how to achieve this?
Unless AD stores these groups in a different place in the tree, not in the scope of other groups, I don't think it is possible with 389. Please file a ticket.
Filed here: https://fedorahosted.org/389/ticket/404
Not sure about components, etc or even the description. Please fix up as needed. Thanks!
On 07/03/2012 10:59 AM, Orion Poplawski wrote:
On 07/03/2012 10:49 AM, Rich Megginson wrote:
On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD server. Our LDAP server also serves a samba domain for one of our offices. As a result we have Domain Admins and Domain Computers groups for the samba domain that we don't want to conflict with the AD groups of the same names.
So it seems like we should move the samba domain groups into a different part of the tree. But we would still want to have a common shared group area that is visible by all. Any suggestions as to how to achieve this?
Unless AD stores these groups in a different place in the tree, not in the scope of other groups, I don't think it is possible with 389. Please file a ticket.
Filed here: https://fedorahosted.org/389/ticket/404
Not sure about components, etc or even the description. Please fix up as needed. Thanks!
Not to worry. Thanks!
On 07/03/2012 10:49 AM, Rich Megginson wrote:
On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD server. Our LDAP server also serves a samba domain for one of our offices. As a result we have Domain Admins and Domain Computers groups for the samba domain that we don't want to conflict with the AD groups of the same names.
So it seems like we should move the samba domain groups into a different part of the tree. But we would still want to have a common shared group area that is visible by all. Any suggestions as to how to achieve this?
Unless AD stores these groups in a different place in the tree, not in the scope of other groups, I don't think it is possible with 389. Please file a ticket.
Is there some way to make a specific subtree (e.g. ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that sub-tree plus entries (but not sub-trees) in the parent node (ou=Groups,dc=nwra,dc=com)?
That was the different domains could point to their specific sub-tree for private entries but still share some. I guess the common directory doesn't need to be the parent, which might make it easier.
On 07/05/2012 03:52 PM, Orion Poplawski wrote:
On 07/03/2012 10:49 AM, Rich Megginson wrote:
On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD server. Our LDAP server also serves a samba domain for one of our offices. As a result we have Domain Admins and Domain Computers groups for the samba domain that we don't want to conflict with the AD groups of the same names.
So it seems like we should move the samba domain groups into a different part of the tree. But we would still want to have a common shared group area that is visible by all. Any suggestions as to how to achieve this?
Unless AD stores these groups in a different place in the tree, not in the scope of other groups, I don't think it is possible with 389. Please file a ticket.
Is there some way to make a specific subtree (e.g. ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that sub-tree plus entries (but not sub-trees) in the parent node (ou=Groups,dc=nwra,dc=com)?
No, not that I know of. I suppose you could try doing an ldapmodrdn operation to move those groups in the 389 side from ou=groups to ou=cora - but I don't know what will happen if winsync tries to sync those changes back to AD.
That was the different domains could point to their specific sub-tree for private entries but still share some. I guess the common directory doesn't need to be the parent, which might make it easier.
Hmm - if you move them (as described above), you can't share them.
On 07/05/2012 03:57 PM, Rich Megginson wrote:
On 07/05/2012 03:52 PM, Orion Poplawski wrote:
On 07/03/2012 10:49 AM, Rich Megginson wrote:
On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD server. Our LDAP server also serves a samba domain for one of our offices. As a result we have Domain Admins and Domain Computers groups for the samba domain that we don't want to conflict with the AD groups of the same names.
So it seems like we should move the samba domain groups into a different part of the tree. But we would still want to have a common shared group area that is visible by all. Any suggestions as to how to achieve this?
Unless AD stores these groups in a different place in the tree, not in the scope of other groups, I don't think it is possible with 389. Please file a ticket.
Is there some way to make a specific subtree (e.g. ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that sub-tree plus entries (but not sub-trees) in the parent node (ou=Groups,dc=nwra,dc=com)?
No, not that I know of. I suppose you could try doing an ldapmodrdn operation to move those groups in the 389 side from ou=groups to ou=cora - but I don't know what will happen if winsync tries to sync those changes back to AD.
That was the different domains could point to their specific sub-tree for private entries but still share some. I guess the common directory doesn't need to be the parent, which might make it easier.
Hmm - if you move them (as described above), you can't share them.
I'm trying to implement it using aliases but that doesn't seem to be working. I created:
dn: aliasedobjectname=ou\3DGroups\2Cdc\3Dnwra\2Cdc\3Dcom,ou=Groups,dc=cora,dc= nwra,dc=com aliasedObjectName: ou=Groups,dc=nwra,dc=com objectClass: top objectClass: alias
to try to link in the common Groups under a private subtree, but ldapsearch just returns the alias object instead of traversing to ou=Groups,dc=nwra,dc=com. This doesn't seems to be correct. Does 389-server support aliases?
On 07/06/2012 10:30 AM, Orion Poplawski wrote:
On 07/05/2012 03:57 PM, Rich Megginson wrote:
On 07/05/2012 03:52 PM, Orion Poplawski wrote:
On 07/03/2012 10:49 AM, Rich Megginson wrote:
On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD server. Our LDAP server also serves a samba domain for one of our offices. As a result we have Domain Admins and Domain Computers groups for the samba domain that we don't want to conflict with the AD groups of the same names.
So it seems like we should move the samba domain groups into a different part of the tree. But we would still want to have a common shared group area that is visible by all. Any suggestions as to how to achieve this?
Unless AD stores these groups in a different place in the tree, not in the scope of other groups, I don't think it is possible with 389. Please file a ticket.
Is there some way to make a specific subtree (e.g. ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that sub-tree plus entries (but not sub-trees) in the parent node (ou=Groups,dc=nwra,dc=com)?
No, not that I know of. I suppose you could try doing an ldapmodrdn operation to move those groups in the 389 side from ou=groups to ou=cora - but I don't know what will happen if winsync tries to sync those changes back to AD.
That was the different domains could point to their specific sub-tree for private entries but still share some. I guess the common directory doesn't need to be the parent, which might make it easier.
Hmm - if you move them (as described above), you can't share them.
I'm trying to implement it using aliases but that doesn't seem to be working. I created:
dn: aliasedobjectname=ou\3DGroups\2Cdc\3Dnwra\2Cdc\3Dcom,ou=Groups,dc=cora,dc= nwra,dc=com aliasedObjectName: ou=Groups,dc=nwra,dc=com objectClass: top objectClass: alias
to try to link in the common Groups under a private subtree, but ldapsearch just returns the alias object instead of traversing to ou=Groups,dc=nwra,dc=com. This doesn't seems to be correct. Does 389-server support aliases?
No, 389 does not support aliases.
On 07/06/2012 10:30 AM, Rich Megginson wrote:
On 07/06/2012 10:30 AM, Orion Poplawski wrote:
Does 389-server support aliases?
No, 389 does not support aliases.
I noticed you didn't say file a ticket this time :)
Ah well.
On 07/06/2012 12:25 PM, Orion Poplawski wrote:
On 07/06/2012 10:30 AM, Rich Megginson wrote:
On 07/06/2012 10:30 AM, Orion Poplawski wrote:
Does 389-server support aliases?
No, 389 does not support aliases.
I noticed you didn't say file a ticket this time :)
There already is a ticket - https://fedorahosted.org/389/ticket/152
Ah well.
On 07/06/2012 12:28 PM, Rich Megginson wrote:
On 07/06/2012 12:25 PM, Orion Poplawski wrote:
On 07/06/2012 10:30 AM, Rich Megginson wrote:
On 07/06/2012 10:30 AM, Orion Poplawski wrote:
Does 389-server support aliases?
No, 389 does not support aliases.
I noticed you didn't say file a ticket this time :)
There already is a ticket - https://fedorahosted.org/389/ticket/152
Only 6 years old, I guess I won't hold my breath :). Sounds like a fairly major thing to implement. Thanks again.
389-users@lists.fedoraproject.org
-
Orion Poplawski -
Rich Megginson