Red Hat Bugzilla – Bug 1044137
[RFE] posix winsync should support ADD user/group entries from DS to AD
Last modified: 2015-03-05 04:29:45 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/428 User/group entries added to DS do not have their posix attributes synced to AD. This is due to a limitation in the winsync v1 api. The v2 and later api support a pre add callback for DS to AD entries.
Docs: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/posix-sync.html http://www.port389.org/docs/389ds/design/winsync-posix.html http://www.port389.org/docs/389ds/design/posix-winsync-sid-enhancements.html Please test these attribute paris: "unixHomeDirectory", "homeDirectory" "loginShell", "loginShell" "uidNumber", "uidNumber" "gidNumber", "gidNumber" "gecos", "gecos"
$ rpm -qa | grep 389 389-ds-base-debuginfo-1.3.3.1-11.el7.x86_64 389-ds-base-libs-1.3.3.1-11.el7.x86_64 389-ds-base-1.3.3.1-11.el7.x86_64 [1] Add user to DS with POSIX attributes: $ ldapmodify -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 -a << EOF dn: uid=ds_posixusr,ou=People,dc=example,dc=com objectClass: inetorgperson objectClass: inetuser objectclass: ntUser objectClass: posixAccount uid: ds_posixusr givenName: ds_posixusr uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/ds_posixusr gecos: ds_posixusr loginShell: /bin/bash sn: ds_posixusr cn: ds_posixusr ntUserCreateNewAccount: true ntUserDomainId: ds_posixusr ntUserDeleteAccount: true userPassword: Secret123 EOF adding new entry "uid=ds_posixusr,ou=People,dc=example,dc=com" [2] Add user to AD with POSIX attributes: $ ldapadd -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldaps://win2k8.adrelm.com:636 << EOF dn: CN=ad_posixusr,ou=adsync,dc=adrelm,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: posixAccount uidNumber: 2000 gidNumber: 2000 cn: ad_posixusr sn: ad_posixusr uid: ad_posixusr givenName: ad_posixusr distinguishedName: CN=ad_posixusr,ou=adsync,dc=adrelm,dc=com displayName: ad_posixusr unixHomeDirectory: /home/ad_posixusr loginShell: /bin/bash gecos: ad_posixusr sAMAccountName: ad_posixusr userPrincipalName: ad_posixusr@dc=adrelm,dc=com userAccountControl: 512 unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwA0ACIA EOF adding new entry "CN=ad_posixusr,ou=adsync,dc=adrelm,dc=com" [3] Wait for sync [4] Search for POSIX attributes of AD user synced to DS: $ ldapsearch -o ldif-wrap=no -LLL -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 -b dc=example,dc=com uid=ad_posixusr uidNumber gidNumber unixHomeDirectory homeDirectory loginShell gecos dn: uid=ad_posixusr,ou=People,dc=example,dc=com uidNumber: 2000 gidNumber: 2000 homeDirectory: /home/ad_posixusr loginShell: /bin/bash gecos: ad_posixusr [5] Search for POSIX attributes of DS user synced to AD: $ ldapsearch -o ldif-wrap=no -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com -b dc=adrelm,dc=com cn=ds_posixusr uidNumber gidNumber unixHomeDirectory homeDirectory loginShell gecos dn: CN=ds_posixusr,OU=adsync,DC=adrelm,DC=com uidNumber: 1000 gidNumber: 1000 gecos: ds_posixusr unixHomeDirectory: /home/ds_posixusr loginShell: /bin/bash Marking as VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html