389 Directory Server have the capability to synchronize with Active Directory. But this capability is not perfect. I’ll discuss below the problems you may encounter when using the synchronization feature.


User Bugs BunnyThe Last Name is required in 389 Directory Server so make sure all users have it in Active Directory.

User Passwords

Reset User PasswordThe Active Directory user passwords can only be replicated to 389 Directory Server by installing the PassSync utility to capture password changes before they are stored in a hashed format. This is the only way to get the user’s password from Active Directory.
Reset User PasswordThe PassSync utility does not work in the 64 bit versions of Windows Server. It also stores the passwords used to authenticate with 389 Directory Server and the certificate database unencrypted in the registry.

Organizational Units

Active Directory Users and ComputersOrganizational Units, like Accounting, Domain Controllers, Engineering and Sales and Marketing in the screen shot, are not automatically synchronized. Every time you create a new one in Active Directory, you need to manually create the same in Fedora Directory Server to synchronize its contents.


Active Directory Users and ComputersContainers, like Computers, ForeignSecurityPrincipals, and Users in the screen shot, is similar to the Organizational Unit but uses a different distinguished name.
ADSI EditIt uses CN=name instead of OU=name for its relative distinguished name.
Fedora Management ConsoleTo create an organizational unit with the same naming convention, you have to extend the FDS schema.
setupusers.shYou can use the setupusers.sh script to create the Users organizational unit for you. Just type in ./setupusers.sh “dc=acme,dc=local” to automatically create the Users container in FDS. Replace “dc=acme,dc=local” with your own base DN.

Visit the forum to ask for help or to give a comment.

Posted on 2/19/2009 and last updated on 11/6/2009
Filed under 389 Directory Server , Active Directory