This article describes how to configure the 389 Directory Server to synchronize entries with an Active Directory Server.

Launching the 389 Management Console

389 Management Console2. Click the + sign corresponding to your server. Next, click the + sign corresponding to Server Group and click Directory Server. Finally, click the Open button in the Directory Server page.

Creating the Sync User Account

The sync user account will be used by the replication plugin to update the 389 Directory Server. For security reason, it should not be part of the synchronized sub tree.

389 Management Console1. Click the Directory tab and click the config folder. Next, right click config, select New and click User.
Create New User2. Fill in the First Name, Last Name, Common Name, User ID, Password and Confirm Password fields. Click OK when you are done.
389 Management Console3. Note down the distinguished name of the newly created user located in the bottom part of the window.

Configuring Replication

The configuration below is for one way synchronization only, from Active Directory to 389 Directory Server. If you need two way synchronization, select Single Master or Multiple Master as the Replica Role and specify a numeric value for Replica ID (ex. 1) instead of using the default which is Dedicated Consumer.

389 Management Console1. Click the Configuration tab and click the Replication folder. In the Supplier Settings page, check Enable Changelog and click the Use default button. Click Save when you are done.
389 Management Console2. Click the + sign corresponding to Replication and click userRoot. Check Enable Replica.
389 Management Console3. Type in the distinguished name of sync user account (uid=SMaster,cn=config in the example above) into the Enter a new Supplier DN field and press Add. Click Save when you are done.

Creating a Windows Sync Agreement

To synchronize with Active Directory, you need an Active Directory user account. In the sample below, the fds user account (cn=fds,dc=acme,dc=local) has been created in Active Directory specifically for that purpose. Learn how to create a new user account in Windows Server.

389 Management Console1. Right click userRoot and click New Windows Sync Agreement.
Agreement Name2. In the Agreement Name window, fill in the Name and Description fields and click Next.
Windows Sync Server Info3. Fill in the Windows Sync Server Info form and click Next when you are done. See the sample values below.
 
Windows Domain Information
Windows Domain Name
acme.local
Sync New Windows Users
On
Sync New Windows Groups
On
Windows Subtree
dc=acme,dc=local
DS Subtree
dc=acme,dc=local
Domain Controller Host
server.acme.local
Port Num
389

Connection
Using encrypted SSL connection
Off
Bind as
cn=fds,dc=acme,dc=local
Password
secret
NoteIf you prefer to enable encrypted SSL connection, you need to install an SSL certificate in 389 Directory Server.
NoteIf you want the password changes on 389 Directory Server to replicate into the Active Directory Server you need the following
  • A working Single Master/Multiple Master replication
  • Encrypted SSL connection should be enabled
  • The bind account (fds in the example above) must have permission to reset user password. The easiest way to accomplish this is to make the bind account a member of Domain Admins.
NoteIf you want the password changes on Active Directory Server to replicate into the 389 Directory Server, see Synch Active Directory Password to FDS.
Summary4. Review the settings in the Summary window and click Done.

Starting the Synch Process

389 Management Console1. Right click the newly created agreement and click Initiate Full Re-synchronization.
389 Management Console2. Click the Status tab and click the Replication Status to check if the replication has completed.
389 Management Console3. Click the Error Logs under the Logs folder to check for any synch errors.
NoteCheck out Active Directory and 389 Directory Server Synchronization Issues for some of the problems you might encounter while implementing this.

Visit the forum to ask for help or to give a comment.

***
Posted on 1/1/2009 and last updated on 11/6/2009
Filed under 389 Directory Server , Active Directory