Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
16.9. Synchronizing POSIX Attributes for Users and Groups
A subset of all possible user and attributes are synchronized between Active Directory and Red Hat Directory Server. Some attributes are mapped, where there are differences between Active Directory and Directory Server schemas, and some attributes are matched directly. The attributes (matched and mapped) which are synchronized are listed in Section 16.5.1, “User Attributes Synchronized between Directory Server and Active Directory” and Section 16.6.2, “Group Attributes Synchronized between Directory Server and Active Directory”.
By default, only those attributes are synchronized.
One type of attribute that is missing from that sync list is any POSIX-related attribute. On Linux systems, system users and groups are identified as POSIX entries, and LDAP POSIX attributes contain that required information. However, when Windows users are synchronized over, they have
ntUser and ntGroup attributes automatically added which identify them as Windows accounts, but no POSIX attributes are synchronized over (even if they exist on the Active Directory entry) and no POSIX attributes are added on the Directory Server side.
The Posix Winsync API Plug-in synchronizes POSIX attributes between Active Directory and Directory Server entries.
Note
All POSIX attributes (such as
uidNumber, gidNumber, and homeDirectory) are synchronized between Active Directory and Directory Server entries. However, if a new POSIX entry or POSIX attributes are added to an existing entry in the Directory Server, only the POSIX attributes are synchronized over to the Active Directory corresponding entry. The POSIX object class (posixAccount for users and posixGroup for groups) is not added to the Active Directory entry.
16.9.1. Enabling POSIX Attribute Synchronization
The Posix Winsync API Plug-in is disabled by default and must be enabled for POSIX attributes to be synchronized from Active Directory user and group entries to the corresponding Directory Server entries.
To enable the Posix Winsync API plug-in:
- Enable the plug-in:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow dsconf -D "cn=Directory Manager" ldap://server.example.com plugin "cn=Posix Winsync API,cn=plugins,cn=config" enable
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin "cn=Posix Winsync API,cn=plugins,cn=config" enable - Restart the instance:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow dsctl instance_name restart
# dsctl instance_name restart
16.9.2. Changing Posix Group Attribute Synchronization Settings
There are multiple plug-in attributes that can be set to control how the POSIX group attributes and group members are synchronized from the Active Directory entry to the corresponding Directory Server group and user entries. For details, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
The defaults can be used for most deployments, but the settings can be changed depending on the Active Directory environment. For example, to enable nested group mappings:
- Use the following command to enable the nested group mapping:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow dsconf -D "cn=Directory Manager" ldap://server.example.com plugin posix-winsync set --map-nested-grouping="true"
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin posix-winsync set --map-nested-grouping="true" - Restart the Directory Server to load the new configuration.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow dsctl instance_name restart
# dsctl instance_name restart
16.9.3. Fixing Mismatched member and uniqueMember Attribute Values in posixGroup Entries
If the
member and uniqueMember attribute values in posixGroup entries on Directory Server and Active Directory (AD) do not match, use the dsconf plugin posix-winsync fixup command to fix the problem:
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin posix-winsync fixup DN
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin posix-winsync fixup DN
This command recreates
memberUid values on Directory Server and automatically modifies the member and uniqueMember attribute values to match the values defined in AD.
Optionally, pass the
-f filter parameter to the command to specify in which entries the command should fix memberUid attributes. Without a filter, the command operates on all entries that contain the inetuser, inetadmin, and nsmemberof object class.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}