16.8. Configuring Multiple Subtrees and Filters in Windows Synchronization
Windows Synchronization is designed to synchronize between multiple pairs of subtrees on the Directory Server (DS) and Active Directory (AD). By using filters, only specified entries under a subtree are synchronized.
Multiple Subtrees in Windows Synchronization
To synchronize among multiple subtree pairs, configure the Directory Server and the Active Directory subtrees in the
winSyncSubtreePair parameter in the Windows sync agreement. For example to set multiple the ou=OU1,dc=DSexample,dc=com and ou=OU1,DC=ADexample,DC=com subtree:
# dsconf -D "cn=Directory Manager" ldap://server.example.com repl-winsync-agmt set --subtree-pair="ou=OU1,dc=DSexample,dc=com:ou=OU1,DC=ADexample,DC=com" --suffix="dc=example,dc=com" example-agreement
If
winSyncSubtreePair is not set, the nsds7WindowsReplicaSubtree AD subtree parameter and the nsds7DirectoryReplicaSubtree DS subtree parameter are used for the synchronization target checks instead. Otherwise, these two parameters are ignored.
Filters in Windows Synchronization
You can set a filter that selects data to be synchronized in the following parameters:
--win-filtersets an additional filter on the Active Directory server,--ds-filterparameter sets an additional filter on Directory Server.
The following example configures that the
example_agreement synchronizes entries that contain user and group attributes:
# dsconf -D "cn=Directory Manager" ldap://server.example.com repl-winsync-agmt \
set --win-filter="(|(cn=*user*)(cn=*group*))" --ds-filter="(|(uid=*user*)(cn=*group*))" \
example_agreement