Created attachment 364018 [details]
Attributes as reported by AD.

Description of problem:

If you have a group in Active Directory with Exchange attributes on, it will not sync to Directory Server.  This issue seems to stem from the fact that the exchange attributes adds the 'mail' attribute, which winsync attempts to sync to the directory server, however the ntGroup objectclass doesn't allow that attribute.  The result is that the group is not synced, with the error:

Entry "cn=test,OU=Groups,dc=example,dc=com" -- attribute "mail" not allowed


Version-Release number of selected component (if applicable):

Tested with:
Windows 2003 with Exchange 6.5
centos dirsrv 8.1.0 (direct port of RHDS 8.1)
latest version of winsync

Steps to Reproduce:

0 - requires MS Exchange on your AD server
1 - create a group in AD, making sure to enable a group email address
2 - the new group will not be synced correctly


Actual results:

The group does not sync, error in the sync log:

[07/Oct/2009:11:33:26 -0700] - Windows sync entry: Adding new local entry dn: cn=test,OU=Groups,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
objectClass: ntGroup
ntGroupDeleteGroup: true
cn: test
ntUserDomainId: test
ntGroupType: -2147483646
mail: test
ntUniqueId: 7fb6ac4638090945bb086219c605eb49

[07/Oct/2009:11:33:26 -0700] - Entry "cn=test,OU=Groups,dc=example,dc=com" -- attribute "mail" not allowed


Expected results:

The group should sync, either with or without the mail attribute. Either winsync should ignore the mail attribute for groups or the ntGroup objectclass should include 'mail' as an allowed attribute.


Additional info:

Attached is the complete attributes for the group that AD reports when queried by ldapsearch.  Note that the info has been slightly sanitized - if something is inconsistent and you need raw data please email me.