16.12. Modifying the Synchronization Agreement
16.12.1. Editing the Synchronization Agreement in the Console
- In the Configuration tab, expand the Replication folder.
- Expand the database being synchronized. All of the synchronization agreements are listed below the database. Double-click the sync agreement to open it in the main window.
Figure 16.7. Selecting the Synchronization Agreement
- Click the Connection tab.
Figure 16.8. The Connection tab
There are three areas of information that can be edited.- The connection type (standard, TLS, and Start TLS).
- The bind user, both DN and password.
- Whether to sync new Directory Server users and new Directory Server groups automatically.
There are three options for the connection type — standard, TLS, and Start TLS — but there are really only two connection protocols, LDAP and LDAPS. Both a standard connection and Start TLS connection use LDAP (Start TLS creates a secure connection over an insecure port).It is not possible to change the connection protocol because it is not possible to change the port number used to connect to the Windows sync peer.It is possible to change the connection type between the standard connection and Start TLS, but it is not possible to change from TLS to either the standard or Start TLS connections. Likewise, it is not possible to go from standard or Start TLS to TLS. If you need to change the connection protocol or the port number, delete the sync agreement and create a new one.
16.12.2. Adding and Editing the Synchronization Agreement in the Command Line
16.12.2.1. Creating a Basic Synchronization Agreement
- For the Directory Server database:
- The synchronized subtree in the directory (
nsds7DirectoryReplicaSubtree
) - The Directory Server root DN (
nsDS5ReplicaRoot
)
- For the Active Directory domain:
- The synchronized subtree in the Active Directory domain (
nsds7WindowsReplicaSubtree
) - The Active Directory domain name (
nsds7WindowsDomain
)
- The Active Directory host name, IPv4 address, or IPv6 address (
nsDS5ReplicaHost
). - The Active Directory port (
nsDS5ReplicaPort
). - The type of connection (
nsDS5ReplicaTransportInfo
), which can be standard (LDAP
), TLS (SSL
), or StartTLS (TLS
), which is a secure connection over a standard port. - The user name (
nsDS5ReplicaBindDN
) and password (nsDS5ReplicaCredentials
) for the Directory Server to use to bind to the Active Directory server.
ldapmodify
:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=replication_agreement_name,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsDSWindowsReplicationAgreement cn: replication_agreement_name nsds7WindowsReplicaSubtree: cn=Users,dc=ad1 nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com nsds7WindowsDomain: ad1 nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaHost: ad1.windows-server.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=sync user,cn=Users,dc=ad1 nsDS5ReplicaCredentials: {DES}ffGad646dT0nnsT8nJOaMA== nsDS5ReplicaTransportInfo: TLS nsds7NewWinUserSyncEnabled: on nsds7NewWinGroupSyncEnabled: on
16.12.2.2. Setting Synchronization Schedules
nsds5replicaupdateschedule
attribute. The Directory Server polls the Active Directory to check for changes; the frequency that it checks the Active Directory server is set in the winSyncInterval
attribute.
nsds5replicaupdateschedule
attribute. The schedule is set with start (SSSS) and end (EEEE) times in the form HHMM, using a 24-hour clock. The days to schedule sync updates are use ranging from 0
(Sunday) to 6
(Saturday).
nsds5replicaupdateschedule: SSSS EEEE DDDDDDD
nsds5replicaupdateschedule: 1200 1400 0246
Note
2300 0100
is not valid.
winSyncInterval
attribute. This attribute is set in seconds, so the default of 300
means that the Directory Server polls the Active Directory server every 300 seconds, or five minutes. Setting this to a higher value can be useful if the directory searches are taking too long and affecting performance.
winSyncInterval: 1000
16.12.2.3. Changing Synchronization Connections
- The bind user name and password (
nsDS5ReplicaBindDN
andnsDS5ReplicaCredentials
). - The connection method (
nsDS5ReplicaTransportInfo
).It is only possible to change thensDS5ReplicaTransportInfo
fromLDAP
toTLS
and vice versa. It is not possible to change to or fromSSL
because it is not possible to change the port number, and switching between LDAP and LDAPS requires changing the port number.
nsDS5ReplicaBindDN: cn=sync user,cn=Users,dc=ad1 nsDS5ReplicaCredentials: {DES}ffGad646dT0nnsT8nJOaMA== nsDS5ReplicaTransportInfo: TLS
Warning
16.12.2.4. Handling Entries That Move Out of the Synchronized Subtree
samAccount
in the Active Directory and the uid
attribute in Directory Server. The synchronization plug-in notes if an entry (based on the samAccount/uid
relationship) is removed from the synchronized subtree either because it is deleted or moved. That is the signal to the synchronization plug-in that the entry is no longer to be synchronized.
Note
samAccount
ID of jsmith
was created in the ou=Employees
subtree on Active Directory. The synchronized subtree is ou=Users
, so the jsmith
user was never synchronized over to Directory Server.

Figure 16.9. Active Directory Tree
samAccount/uid
relationship) but are outside the synchronized subtree are intentionally moved outside the synchronized subtree — essentially, a rename operation. The assumption then was that the "corresponding" Directory Server entry should be deleted.

Figure 16.10. Active Directory and Directory Server Trees Compared
winSyncMoveAction
attribute for the synchronization agreement sets instructions on how to handle these moved entries:
none
takes no action, so if a synchronized Directory Server entry exists, it may be synchronized over to or create an Active Directory entry within scope. If no synchronized Directory Server entry exists, nothing happens at all (this is the default behavior in the Directory Server version 9.1 and later).unsync
removes any sync-related attributes (ntUser
orntGroup
) from the Directory Server entry but otherwise leaves the Directory Server entry intact.Important
There is a risk when unsyncing entries that the Active Directory entry may be deleted at a later time, and the Directory Server entry will be left intact. This can create data inconsistency issues, especially if the Directory Server entry is ever used to recreate the entry on the Active Directory side later.delete
deletes the corresponding entry on the Directory Server side, regardless of whether it was ever synchronized with Active Directory (this was the default behavior in 9.0).Important
You almost never want to delete a Directory Server entry without deleting the corresponding Active Directory entry. This option is available only for compatibility with Directory Server 9.0 systems.
none
, then edit the synchronization agreement to add the winSyncMoveAction
attribute. Using ldapmodify
:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=replication_agreement_name,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: winSyncMoveAction winSyncMoveAction: unsync
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.