389 Directory Server have the capability to synchronize with Active Directory. But this capability is not perfect. I’ll discuss below the problems you may encounter when using the synchronization feature.
The Last Name
is required in 389 Directory Server so make sure all users have it in Active Directory.
The Active Directory user passwords can only be replicated to 389 Directory Server by installing the PassSync utility
to capture password changes before they are stored in a hashed format. This is the only way to get the user’s password from Active Directory.
The PassSync utility does not work in the 64 bit versions of Windows Server. It also stores the passwords used to authenticate with 389 Directory Server and the certificate database unencrypted in the registry.
Organizational Units, like Accounting
, Domain Controllers
and Sales and Marketing
in the screen shot, are not automatically synchronized. Every time you create a new one in Active Directory, you need to manually create the same in Fedora Directory Server to synchronize its contents.
Containers, like Computers
, and Users
in the screen shot, is similar to the Organizational Unit but uses a different distinguished name.
It uses CN=name
instead of OU=name
for its relative distinguished name.
To create an organizational unit with the same naming convention, you have to extend the FDS schema.
You can use the setupusers.sh
script to create the Users
organizational unit for you. Just type in ./setupusers.sh “dc=acme,dc=local”
to automatically create the Users container in FDS. Replace “dc=acme,dc=local”
with your own base DN.
Visit the forum to ask for help or to give a comment.
Posted on 2/19/2009 and last updated on 11/6/2009
Filed under 389 Directory Server , Active Directory