[Fedora-directory-users] syncing a group's uniquemember attributes

[David Boreham]

Robert Brophy wrote:

>While syncing from Fedora-DS to Active Directory, it
>looks like the only way to sync the uniquemember
>attribute of a group is to have the members in the
>same OU as the group.
>
>Is that correct?
>  
>
Not quite. First, only group entries that are within the scope
of the sync agreement are sync'ed. This allows the adminstrator
to select which groups should be sync'ed on a subtree basis.
However it covers all descendent entries of a given container, not
just the immediate children. Similarly, only those members of a
group that are also within the scope of the agreement are sync'ed
(the uniquemember attribute values corresponding to their entries
are sync'ed with the member attribute values on the AD side).
This is done to prevent surprises that would follow from having
a member of a group that doesn't exist within the local Directory.

So, provided you can arrange for your sync'ed users and the
sync'ed groups to live under a common DIT node, you should
be happy.

e.g. sync everything under o=mycompany, which would
include ou=people, o=mycompany and ou=groups, o=mycompany.

The only thing to watch is that the sync code will _not_
automatically create container entries (e.g. ou=groups, o=mycompany
in the example above). You need to create those in advance manually.

There are a number of other possible ways to control the sync
process that can be imagined (e.g. filter the entries as well as
restrict which container they come from; allow mapping of the
DIT structure from one side to the other). If you have
a use for any extra flexibility like this please speak up (or write
code !) because future releases will almost certainly have some
enhanced flexibility in this area.