Hello, all. I know one can only have one sync agreement with an AD.
However, is it possible to have a sync agreement with multiple ADs. We
would like to synchronize the top of our tree with our main,
multi-tenant AD and then synchronize lower levels of the domains with
separate domains controlled by our clients. Thus, the same users and
groups are synchronized to two different AD trees.

As much as we dearly want this to work, I think it is asking for trouble
as the GUID from AD is passed back to LDAP as part of the
synchronization. Since these GUIDs will be different for the same user
from different AD trees, is this a problem?

I know that sounds a bit convoluted so let me give an example. I have a
user Joe in LDAP. I synchronize him to MyAD so he is MyADJoe. I also
synchronize him to TheirAD so he is also TheirADJoe. The GUID for MyAD
Joe is different from the GUID for TheirADJoe even though it is the
same LDAP Joe. Is that a problem? Thanks - John

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Is the DIT object ntuniqueid constructed from the Windows user object uuid and domain sid to keep the uniqueness ?

Sent from Zimbra and my HTC Desire



----- Reply message -----
From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
Date: Tue, Jul 27, 2010 21:42
Subject: [389-users] Synching with multiple Windows ADs
To: <389-users@lists.fedoraproject.org>

Hello, all. I know one can only have one sync agreement with an AD.
However, is it possible to have a sync agreement with multiple ADs. We
would like to synchronize the top of our tree with our main,
multi-tenant AD and then synchronize lower levels of the domains with
separate domains controlled by our clients. Thus, the same users and
groups are synchronized to two different AD trees.

As much as we dearly want this to work, I think it is asking for trouble
as the GUID from AD is passed back to LDAP as part of the
synchronization. Since these GUIDs will be different for the same user
from different AD trees, is this a problem?

I know that sounds a bit convoluted so let me give an example. I have a
user Joe in LDAP. I synchronize him to MyAD so he is MyADJoe. I also
synchronize him to TheirAD so he is also TheirADJoe. The GUID for MyAD
Joe is different from the GUID for TheirADJoe even though it is the
same LDAP Joe. Is that a problem? Thanks - John

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

UxBoD wrote:
> Is the DIT object ntuniqueid constructed from the Windows user object uuid and domain sid to keep the uniqueness ?
>
ntuniqueid == AD objectGUID
> Sent from Zimbra and my HTC Desire
>
>
>
> ----- Reply message -----
> From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
> Date: Tue, Jul 27, 2010 21:42
> Subject: [389-users] Synching with multiple Windows ADs
> To: <389-users@lists.fedoraproject.org>
>
> Hello, all. I know one can only have one sync agreement with an AD.
> However, is it possible to have a sync agreement with multiple ADs. We
> would like to synchronize the top of our tree with our main,
> multi-tenant AD and then synchronize lower levels of the domains with
> separate domains controlled by our clients. Thus, the same users and
> groups are synchronized to two different AD trees.
>
> As much as we dearly want this to work, I think it is asking for trouble
> as the GUID from AD is passed back to LDAP as part of the
> synchronization. Since these GUIDs will be different for the same user
> from different AD trees, is this a problem?
>
> I know that sounds a bit convoluted so let me give an example. I have a
> user Joe in LDAP. I synchronize him to MyAD so he is MyADJoe. I also
> synchronize him to TheirAD so he is also TheirADJoe. The GUID for MyAD
> Joe is different from the GUID for TheirADJoe even though it is the
> same LDAP Joe. Is that a problem? Thanks - John
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

John A. Sullivan III wrote:
> Hello, all. I know one can only have one sync agreement with an AD.
> However, is it possible to have a sync agreement with multiple ADs. We
> would like to synchronize the top of our tree with our main,
> multi-tenant AD and then synchronize lower levels of the domains with
> separate domains controlled by our clients. Thus, the same users and
> groups are synchronized to two different AD trees.
>
> As much as we dearly want this to work, I think it is asking for trouble
> as the GUID from AD is passed back to LDAP as part of the
> synchronization. Since these GUIDs will be different for the same user
> from different AD trees, is this a problem?
>
> I know that sounds a bit convoluted so let me give an example. I have a
> user Joe in LDAP. I synchronize him to MyAD so he is MyADJoe. I also
> synchronize him to TheirAD so he is also TheirADJoe. The GUID for MyAD
> Joe is different from the GUID for TheirADJoe even though it is the
> same LDAP Joe. Is that a problem? Thanks - John
>
Yes, the sync key is the ntUniqueID == AD objectGUID
Yes, it will be a problem, if you want the single account in RHDS to
sync to both accounts in AD.
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users