Miguel Angel Coa M. wrote:
> Rob,
> My idea about A/D group is centralize the users for the winsync because
> some are in one OU and others in others (but i see this isn't possible)
> 
> eg.
> 
> Example2.com  <-- Domain root
> Builtin <-- Default 
> .....
> .....
> Users  <-- Default users  -> base search (CN=users,DC=example2, DC=com)
> .....
> Area01  <-- Custom OU and i've some user for sync --> base search
> (OU=area01,DC=example2, DC=com)
> Area02 <-- Custom OU and i've others user for sync --> base search
> (OU=area02,DC=example2, DC=com)
> Area03 <-- Custom OU and i've others user for sync --> base
> search (OU=area03,DC=example2, DC=com)
> ......
> AreaXX <-- Custom OU and i've others user for sync  --> base
> search (OU=areaXX,DC=example2, DC=com)
> 
> 
> ¿In my case what could I do?

Right, moving all the users to a custom OU or otherwise separate subtree
would be the only way to do it AFAIK.

rob

> 
> 
> Thanks.
> 
> 
> Saludos.
> ---
> Miguel Coa M.
> 
> 2017-10-25 18:42 GMT-03:00 Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>>:
> 
>     Miguel Angel Coa M. wrote:
>     > Hi Rob,
>     > CN=LAB is a group entry and inside i've a few members
>     >
>     > [.................]
>     > # LAB, Users, example2.com <http://example2.com> <http://example2.com>
>     > dn: CN=LAB,CN=Users,DC=example2,DC=com
>     > objectClass: top
>     > objectClass: group
>     > cn: LAB
>     > description: Usuario de grupo LAB
>     > member: CN=winuser64,CN=Users,DC=example2,DC=com
>     > member: CN=winuserlab2 userlab2,OU=Test,DC=example2,DC=com
>     > member: CN=winuser40 winuser40,OU=Test,DC=example2,DC=com
>     > member: CN=winuserlab1 userlab1,OU=Test,DC=example2,DC=com
>     > distinguishedName: CN=LAB,CN=Users,DC=example2,DC=com
>     > instanceType: 4
>     > whenCreated: 20171023203927.0Z
>     > whenChanged: 20171024203108.0Z
>     > uSNCreated: 49193
>     > uSNChanged: 61493
>     > name: LAB
>     > objectGUID:: gQBcEwVqHU+L3DmmZPVFFw==
>     > objectSid:: AQUAAAAAAAUVAAAAguTkYzspTdFQ0vfEWwQAAA==
>     > sAMAccountName: LAB
>     > sAMAccountType: 268435456
>     > groupType: -2147483640
>     > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example2,DC=com
>     > dSCorePropagationData: 16010101000000.0Z
> 
>     That's why. winsync syncs against a subtree, not members of a group.
> 
>     rob
> 
>     > [.................]
>     >
>     >
>     > Regards.
>     >
>     >
>     >
>     >
>     > Saludos.
>     > ---
>     > Miguel Coa M.
>     >
>     > 2017-10-25 17:28 GMT-03:00 Rob Crittenden <rcrit...@redhat.com 
> <mailto:rcrit...@redhat.com>
>     > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>:
>     >
>     >     Miguel Angel Coa M. via FreeIPA-users wrote:
>     >     > Hello Everyone,
>     >     > I've setting IPA server connect with AD (Windows Server
>     2012R2) and work
>     >     > fine, but i need change the sub-tree for user sync and this
>     step fail
>     >     > (not sync anything) .
>     >     > For example, when i sync against the default base is ok
>     >     >
>     >     > [.................]
>     >     > CN=Users,DC=example2,dc=com
>     >     > [.................]
>     >     >
>     >     > [.................]
>     >     > nsds7WindowsReplicaSubtree: CN=Users,DC=example2,DC=com
>     >     > [.................]
>     >     >
>     >     >
>     >     > But i try change the base and does not sync anything
>     >     >
>     >     > [.................]
>     >     > CN=LAB,CN=Users,DC=example2,dc=com
>     >     > [.................]
>     >     >
>     >     > When the LAB is AD group. ¿is possible sync against AD group?
>     >
>     >     IIRC winsync looks for entries that match objectclass=ntuser.
>     I CN=LAB
>     >     literally a group entry or a subtree?
>     >
>     >     rob
>     >
>     >
> 
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to