There is a simple workaround. The file 50ns-directory.ldif in the /etc/dirsrv/slapd-instance/schema directory defines the ntGroup objectclass. 1) Copy the definition of ntGroup from that file into 99user.ldif 2) Edit the list of allowed attributes (the MAY list) - add mail to the list so that the definition looks like this: objectClasses: ( 2.16.840.1.113730.3.2.9 NAME 'ntGroup' DESC 'Netscape defined objectclass' SUP top MUST ( ntUserDomainId ) MAY ( description $ l $ ou $ seeAlso $ ntGroupId $ ntGroupAttributes $ ntGroupCreateNewGroup $ ntGroupDeleteGroup $ ntGroupType $ ntUniqueId $ mail ) X-ORIGIN 'Netscape NT Synchronization' ) 3) restart the server
*** Bug 527805 has been marked as a duplicate of this bug. ***
Created attachment 473437 [details] Patch
Pushed patch to master. Thanks to Noriko for her review! Counting objects: 9, done. Delta compression using up to 2 threads. Compressing objects: 100% (5/5), done. Writing objects: 100% (5/5), 601 bytes, done. Total 5 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 5ebd590..7dfe817 master -> master
Fix verified DS90 builds. Steps to verify: --------------- 1. Configure Winsync and add a group to AD with mail attribute as this. dn: CN=bug505722_1,OU=pass_sync,DC=win2k8sync64,DC=com objectClass: top objectClass: group cn: bug505722_1 distinguishedName: CN=bug505722_1,OU=pass_sync,DC=win2k8sync64,DC=com name: bug505722_1 sAMAccountName: bug505722_1 groupType: 2 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=win2k8sync64,DC=com mail: sramling_1 2. Check whether the group is synced to DS. Host=`hostname`;Port=1389;Base="dc=pass_sync,dc=com"; /usr/lib64/mozldap/ldapsearch -h $Host -p $Port -D "cn=Directory Manager" -w "Secret123" -b "$Base" "cn=bug505722_*" dn: cn=bug505722_2,dc=pass_sync,dc=com objectClass: top objectClass: groupofuniquenames objectClass: ntGroup ntGroupDeleteGroup: true cn: bug505722_2 ntUserDomainId: bug505722_2 ntGroupType: 2 mail: sramling_2 ntUniqueId: ffb5f438c7811c46b867e0edfa39e5a5