FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 07-03-2012, 04:45 PM
Orion Poplawski
 
Default Syncing AD groups and multiple (samba) domains

We are looking to sync our groups between our ldap server and an AD server.
Our LDAP server also serves a samba domain for one of our offices. As a
result we have Domain Admins and Domain Computers groups for the samba domain
that we don't want to conflict with the AD groups of the same names.


So it seems like we should move the samba domain groups into a different part
of the tree. But we would still want to have a common shared group area that
is visible by all. Any suggestions as to how to achieve this?


Thanks!

--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-03-2012, 04:49 PM
Rich Megginson
 
Default Syncing AD groups and multiple (samba) domains

On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD
server. Our LDAP server also serves a samba domain for one of our
offices. As a result we have Domain Admins and Domain Computers
groups for the samba domain that we don't want to conflict with the AD
groups of the same names.


So it seems like we should move the samba domain groups into a
different part of the tree. But we would still want to have a common
shared group area that is visible by all. Any suggestions as to how
to achieve this?


Unless AD stores these groups in a different place in the tree, not in
the scope of other groups, I don't think it is possible with 389.
Please file a ticket.




Thanks!



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-03-2012, 04:59 PM
Orion Poplawski
 
Default Syncing AD groups and multiple (samba) domains

On 07/03/2012 10:49 AM, Rich Megginson wrote:

On 07/03/2012 10:45 AM, Orion Poplawski wrote:

We are looking to sync our groups between our ldap server and an AD server.
Our LDAP server also serves a samba domain for one of our offices. As a
result we have Domain Admins and Domain Computers groups for the samba
domain that we don't want to conflict with the AD groups of the same names.

So it seems like we should move the samba domain groups into a different
part of the tree. But we would still want to have a common shared group
area that is visible by all. Any suggestions as to how to achieve this?


Unless AD stores these groups in a different place in the tree, not in the
scope of other groups, I don't think it is possible with 389. Please file a
ticket.



Filed here: https://fedorahosted.org/389/ticket/404

Not sure about components, etc or even the description. Please fix up as
needed. Thanks!


--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-03-2012, 05:08 PM
Rich Megginson
 
Default Syncing AD groups and multiple (samba) domains

On 07/03/2012 10:59 AM, Orion Poplawski wrote:

On 07/03/2012 10:49 AM, Rich Megginson wrote:

On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD
server.
Our LDAP server also serves a samba domain for one of our offices.
As a

result we have Domain Admins and Domain Computers groups for the samba
domain that we don't want to conflict with the AD groups of the same
names.


So it seems like we should move the samba domain groups into a
different
part of the tree. But we would still want to have a common shared
group
area that is visible by all. Any suggestions as to how to achieve
this?


Unless AD stores these groups in a different place in the tree, not
in the
scope of other groups, I don't think it is possible with 389. Please
file a

ticket.



Filed here: https://fedorahosted.org/389/ticket/404

Not sure about components, etc or even the description. Please fix up
as needed. Thanks!



Not to worry. Thanks!
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-05-2012, 09:52 PM
Orion Poplawski
 
Default Syncing AD groups and multiple (samba) domains

On 07/03/2012 10:49 AM, Rich Megginson wrote:

On 07/03/2012 10:45 AM, Orion Poplawski wrote:

We are looking to sync our groups between our ldap server and an AD server.
Our LDAP server also serves a samba domain for one of our offices. As a
result we have Domain Admins and Domain Computers groups for the samba
domain that we don't want to conflict with the AD groups of the same names.

So it seems like we should move the samba domain groups into a different
part of the tree. But we would still want to have a common shared group
area that is visible by all. Any suggestions as to how to achieve this?


Unless AD stores these groups in a different place in the tree, not in the
scope of other groups, I don't think it is possible with 389. Please file a
ticket.



Is there some way to make a specific subtree (e.g.
ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that sub-tree plus
entries (but not sub-trees) in the parent node (ou=Groups,dc=nwra,dc=com)?


That was the different domains could point to their specific sub-tree for
private entries but still share some. I guess the common directory doesn't
need to be the parent, which might make it easier.


--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-05-2012, 09:57 PM
Rich Megginson
 
Default Syncing AD groups and multiple (samba) domains

On 07/05/2012 03:52 PM, Orion Poplawski wrote:

On 07/03/2012 10:49 AM, Rich Megginson wrote:

On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an AD
server.
Our LDAP server also serves a samba domain for one of our offices.
As a

result we have Domain Admins and Domain Computers groups for the samba
domain that we don't want to conflict with the AD groups of the same
names.


So it seems like we should move the samba domain groups into a
different
part of the tree. But we would still want to have a common shared
group
area that is visible by all. Any suggestions as to how to achieve
this?


Unless AD stores these groups in a different place in the tree, not
in the
scope of other groups, I don't think it is possible with 389. Please
file a

ticket.



Is there some way to make a specific subtree (e.g.
ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that
sub-tree plus entries (but not sub-trees) in the parent node
(ou=Groups,dc=nwra,dc=com)?


No, not that I know of. I suppose you could try doing an ldapmodrdn
operation to move those groups in the 389 side from ou=groups to ou=cora
- but I don't know what will happen if winsync tries to sync those
changes back to AD.




That was the different domains could point to their specific sub-tree
for private entries but still share some. I guess the common
directory doesn't need to be the parent, which might make it easier.



Hmm - if you move them (as described above), you can't share them.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-06-2012, 04:30 PM
Rich Megginson
 
Default Syncing AD groups and multiple (samba) domains

On 07/06/2012 10:30 AM, Orion Poplawski wrote:

On 07/05/2012 03:57 PM, Rich Megginson wrote:

On 07/05/2012 03:52 PM, Orion Poplawski wrote:

On 07/03/2012 10:49 AM, Rich Megginson wrote:

On 07/03/2012 10:45 AM, Orion Poplawski wrote:
We are looking to sync our groups between our ldap server and an
AD server.
Our LDAP server also serves a samba domain for one of our offices.
As a
result we have Domain Admins and Domain Computers groups for the
samba
domain that we don't want to conflict with the AD groups of the
same names.


So it seems like we should move the samba domain groups into a
different
part of the tree. But we would still want to have a common shared
group
area that is visible by all. Any suggestions as to how to achieve
this?


Unless AD stores these groups in a different place in the tree, not
in the
scope of other groups, I don't think it is possible with 389.
Please file a

ticket.



Is there some way to make a specific subtree (e.g.
ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that
sub-tree
plus entries (but not sub-trees) in the parent node
(ou=Groups,dc=nwra,dc=com)?


No, not that I know of. I suppose you could try doing an ldapmodrdn
operation
to move those groups in the 389 side from ou=groups to ou=cora - but
I don't

know what will happen if winsync tries to sync those changes back to AD.



That was the different domains could point to their specific
sub-tree for
private entries but still share some. I guess the common directory
doesn't

need to be the parent, which might make it easier.


Hmm - if you move them (as described above), you can't share them.


I'm trying to implement it using aliases but that doesn't seem to be
working. I created:


dn:
aliasedobjectname=ou3DGroups2Cdc3Dnwra2Cdc3Dcom,ou =Groups,dc=cora,dc=

nwra,dc=com
aliasedObjectName: ou=Groups,dc=nwra,dc=com
objectClass: top
objectClass: alias

to try to link in the common Groups under a private subtree, but
ldapsearch just returns the alias object instead of traversing to
ou=Groups,dc=nwra,dc=com. This doesn't seems to be correct. Does
389-server support aliases?



No, 389 does not support aliases.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-06-2012, 04:30 PM
Orion Poplawski
 
Default Syncing AD groups and multiple (samba) domains

On 07/05/2012 03:57 PM, Rich Megginson wrote:

On 07/05/2012 03:52 PM, Orion Poplawski wrote:

On 07/03/2012 10:49 AM, Rich Megginson wrote:

On 07/03/2012 10:45 AM, Orion Poplawski wrote:

We are looking to sync our groups between our ldap server and an AD server.
Our LDAP server also serves a samba domain for one of our offices. As a
result we have Domain Admins and Domain Computers groups for the samba
domain that we don't want to conflict with the AD groups of the same names.

So it seems like we should move the samba domain groups into a different
part of the tree. But we would still want to have a common shared group
area that is visible by all. Any suggestions as to how to achieve this?


Unless AD stores these groups in a different place in the tree, not in the
scope of other groups, I don't think it is possible with 389. Please file a
ticket.



Is there some way to make a specific subtree (e.g.
ou=cora,ou=Groups,dc=nwra,dc=com) consistent of entries in that sub-tree
plus entries (but not sub-trees) in the parent node (ou=Groups,dc=nwra,dc=com)?


No, not that I know of. I suppose you could try doing an ldapmodrdn operation
to move those groups in the 389 side from ou=groups to ou=cora - but I don't
know what will happen if winsync tries to sync those changes back to AD.



That was the different domains could point to their specific sub-tree for
private entries but still share some. I guess the common directory doesn't
need to be the parent, which might make it easier.


Hmm - if you move them (as described above), you can't share them.


I'm trying to implement it using aliases but that doesn't seem to be working.
I created:


dn: aliasedobjectname=ou3DGroups2Cdc3Dnwra2Cdc3Dcom,ou =Groups,dc=cora,dc=
nwra,dc=com
aliasedObjectName: ou=Groups,dc=nwra,dc=com
objectClass: top
objectClass: alias

to try to link in the common Groups under a private subtree, but ldapsearch
just returns the alias object instead of traversing to
ou=Groups,dc=nwra,dc=com. This doesn't seems to be correct. Does 389-server
support aliases?


--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-06-2012, 06:25 PM
Orion Poplawski
 
Default Syncing AD groups and multiple (samba) domains

On 07/06/2012 10:30 AM, Rich Megginson wrote:

On 07/06/2012 10:30 AM, Orion Poplawski wrote:

Does
389-server support aliases?


No, 389 does not support aliases.


I noticed you didn't say file a ticket this time

Ah well.

--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-06-2012, 06:28 PM
Rich Megginson
 
Default Syncing AD groups and multiple (samba) domains

On 07/06/2012 12:25 PM, Orion Poplawski wrote:

On 07/06/2012 10:30 AM, Rich Megginson wrote:

On 07/06/2012 10:30 AM, Orion Poplawski wrote:

Does
389-server support aliases?


No, 389 does not support aliases.


I noticed you didn't say file a ticket this time


There already is a ticket - https://fedorahosted.org/389/ticket/152



Ah well.



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 12:11 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org