Show Table of Contents
12.7. Synchronizing POSIX Attributes for Users and Groups
A subset of all possible user and attributes are synchronized between Active Directory and Red Hat Directory Server. Some attributes are mapped, where there are differences between Active Directory and Directory Server schemas, and some attributes are matched directly. The attributes (matched and mapped) which are synchronized are listed in Section 12.4.1, “User Attributes Synchronized between Directory Server and Active Directory” and Section 12.5.2, “Group Attributes Synchronized between Directory Server and Active Directory”.
By default, only those attributes are synchronized.
One type of attribute that is missing from that sync list is any POSIX-related attribute. On Linux systems, system users and groups are identified as POSIX entries, and LDAP POSIX attributes contain that required information. However, when Windows users are synced over, they have
ntUser and ntGroup attributes automatically added which identify them as Windows accounts, but no POSIX attributes are synced over (even if they exist on the Active Directory entry) and no POSIX attributes are added on the Directory Server side.
The Posix Winsync API Plug-in synchronizes POSIX attributes between Active Directory and Directory Server entries.
Note
All POSIX attributes (such as
uidNumber, gidNumber, and homeDirectory) are synchronized between Active Directory and Directory Server entries. However, if a new POSIX entry or POSIX attributes are added to an existing entry in the Directory Server, only the POSIX attributes are synchronized over to the Active Directory corresponding entry. The POSIX object class (posixAccount for users and posixGroup for groups) is not added to the Active Directory entry.
12.7.1. Enabling POSIX Attribute Sync
The Posix Winsync API Plug-in is disabled by default and must be enabled for POSIX attributes to be synchronized from Active Directory user and group entries to the corresponding Directory Server entries.
- Set the
nsslapd-pluginEnabledattribute toon.ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=Posix Winsync API,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
Note
The precedence must be below 50 so that the Posix sync plug-in is loaded first. In the default configuration, the precedence is 25, and this value can remain the same in most deployments. - Restart the Directory Server to load the new configuration.
service dirsrv restart instance_name
12.7.2. Changing Posix Group Attribute Sync Settings
There are multiple plug-in attributes that can be set to control how the POSIX group attributes and group members are synced from the Active Directory entry to the corresponding Directory Server group and user entries. For details, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
The defaults can be used for most deployments, but the settings can be changed depending on the Active Directory environment. For example, to enable nested group mappings:
- Use
ldapmodifyto change the attribute to the appropriate setting:# ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=Posix Winsync API,cn=plugins,cn=config changetype: modify replace: posixWinsyncMapNestedGrouping posixWinsyncMapNestedGrouping: true
- Restart the Directory Server to load the new configuration.
12.7.3. Changing to Older Versions of Windows Posix Attributes
By default, the Posix Winsync API Plug-in uses Posix schema for modern Active Directory servers: 2005, 2008, and later versions. There are slight differences between the modern Active Directory Posix schema and the Posix schema used by Windows Server 2003 and older Windows servers. If an Active Directory domain is using the older-style schema, then the Posix Winsync API Plug-in can be configured to use the older Microsoft System Services for Unix 3.0 (msSFU30) schema.
To switch to Windows 2003-style Posix schema:
- Use
ldapmodifyto change theposixWinsyncMsSFUSchemaattribute totrue.ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=Posix Winsync API,cn=plugins,cn=config changetype: modify replace: posixWinsyncMsSFUSchema posixWinsyncMsSFUSchema: true
- Restart the Directory Server to load the new configuration.
service dirsrv restart instance_name
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.