12.4. Synchronizing Users
- Users in the Active Directory domain are synced if it is configured in the sync agreement by selecting the Sync New Windows Users option. All of the Windows users are copied to the Directory Server when synchronization is initiated and then new users are synced over when they are created.
- A Directory Server user account is synchronized to Active Directory through specific attributes that are present on the Directory Server entry. Any Directory Server entry must have the
ntUserobject class and the
ntUserCreateNewAccountattribute (even on an existing entry) signals Directory Server Win Syn to write the entry over to the Active Directory server.New or modified user entries with the
ntUserobject class added are created and synced over to the Windows machine at the next regular update, which is a standard poll of entry.
- ntUserDomainId. This corresponds to the
sAMAccountNameattribute for Active Directory entries.
- ntUniqueId. This contains the value of the
objectGUIDattribute for the corresponding Windows entry. This attribute is set by the synchronization process and should not be set or modified manually.
- ntUserDeleteAccount. This attribute is set automatically when a Windows entry is synced over but must be set manually for Directory Server entries. If
ntUserDeleteAccounthas the value
true, the corresponding Windows entry be deleted when the Directory Server entry is deleted. Otherwise, the entry remains in Active Directory, but is removed from the Directory Server database if it is deleted in the Directory Server.
ntUserDeleteAccounton Directory Server entries allows the Directory Manager precise control over which users within the synchronized subtree are synced on Active Directory.
12.4.1. User Attributes Synchronized between Directory Server and Active Directory
Table 12.2. User Schema Mapped between Directory Server and Active Directory
|Directory Server||Active Directory|
Table 12.3. User Schema That Are the Same in Directory Server and Windows Servers
12.4.2. User Schema Differences between Red Hat Directory Server and Active Directory
188.8.131.52. Values for cn Attributes
cnattribute can be multi-valued, while in Active Directory this attribute must have only a single value. When the Directory Server
cnattribute is synchronized, then, only one value is sent to the Active Directory peer.
cnvalue is added to an Active Directory entry and that value is not one of the values for
cnin Directory Server, then all of the Directory Server
cnvalues are overwritten with the single Active Directory value.
cnattribute attribute as its naming attribute, where Directory Server uses
uid. This means that there is the potential to rename the entry entirely (and accidentally) if the
cnattribute is edited in the Directory Server. If that
cnchange is written over to the Active Directory entry, then the entry is renamed, and the new named entry is written back over to Directory Server.
184.108.40.206. Password Policies
220.127.116.11. Values for street and streetAddress
streetAddressfor a user or group's postal address; this is the way that Directory Server uses the
streetattribute. There are two important differences in the way that Active Directory and Directory Server use the
- In Directory Server,
streetAddressis an alias for
street. Active Directory also has the
streetattribute, but it is a separate attribute that can hold an independent value, not an alias for
- Active Directory defines both
streetas single-valued attributes, while Directory Server defines
streetas a multi-valued attribute, as specified in RFC 4519.
streetattributes, there are two rules to follow when setting address attributes in Active Directory and Directory Server:
- Windows Sync maps
streetAddressin the Windows entry to
streetin Directory Server. To avoid conflicts, the
streetattribute should not be used in Active Directory.
- Only one Directory Server
streetattribute value is synced to Active Directory. If the
streetAddressattribute is changed in Active Directory and the new value does not already exist in Directory Server, then all
streetattribute values in Directory Server are replaced with the new, single Active Directory value.
18.104.22.168. Constraints on the initials Attribute
initialsattribute, Active Directory imposes a maximum length constraint of six characters, but Directory Server does not have a length limit. If an
initialsattribute longer than six characters is added to Directory Server, the value is trimmed when it is synchronized with the Active Directory entry.
12.4.3. Configuring User Sync for Directory Server Users
22.214.171.124. Configuring User Sync in the Console
- In the Directory Server Console, select the Directory tab.
- For an existing entry, right-click the entry, and click Properties to open the property editor for the entry.For a new entry, right-click the main entry in the left window to add the new entry, select User, and then fill in the required entry attributes.
- On the left side of the Property Editor, click the NT User link.
- In the NT User tab, check the Enable NT Attributes check box.
- To enable synchronization, two fields are required:
- Setting a NT User ID
- Selecting the Create New NT Account check box
- Selecting the Delete NT Account check box means that the corresponding Windows user is deleted if the Directory Server entry is deleted.
- Set the other Windows attributes. These attributes are mapped to relevant Windows attributes.Additional
ntUserattributes can be created either by using the button; see Section 126.96.36.199, “Modifying Entries Using ldapmodify”.
188.8.131.52. Configuring User Sync in the Command Line
ntUserDomainIdattribute, to give the Windows ID
ntUserCreateNewAccountattribute, to signal to the synchronization plug-in to sync the Directory Server entry over to Active Directory
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: uid=scarter,ou=People,dc=example,dc=com changetype: modify add: objectClass objectClass:ntUser add: ntUserDomainId ntUserDomainId: Sam Carter add: ntUserCreateNewAccount ntUserCreateNewAccount: true add: ntUserDeleteAccount ntUserDeleteAccount: true
ntUserobject class, are described in more detail in the Red Hat Directory Server 9 Configuration, Command, and File Reference.
12.4.4. Configuring User Sync for Active Directory Users
184.108.40.206. Configuring User Sync in the Console
- Open the Configuration tab and expand the Replication folder.
- Open the appropriate database, and select the sync agreement.
- Open the Connection tab.
- Check the New Windows User Sync check box to enable users sync. To disable sync, uncheck the box.
220.127.116.11. Configuring User Sync in the Command Line
nsds7NewWinUserSyncEnabledand is set on the sync agreement. To enable user sync, add this attribute to the sync agreement or create a sync agreement with this attribute set to
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=ExampleSyncAgreement,cn=userRoot,cn=dc=example\,dc=com,cn=mapping tree,cn=config changetype: modify replace: nsds7NewWinUserSyncEnabled nsds7NewWinUserSyncEnabled: on