Manualshelf

HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
391392393394395396397398399400
to the Directory Server, and users/groups as they are created are synchronized to the Directory
Server.
Within the Windows subtree, only entries with user or group object classes can be synchronized
to Directory Server.
On the Directory Server, only entries with the ntUser or ntGroup object classes and attributes
can be synchronized.
The placement of the sync agreement depends on what suffixes are synchronized; for a single
suffix, the sync agreement is made for that suffix alone; for multiple suffixes, the sync agreement
is made at a higher branch of the directory tree. To propagate Windows entries and updates
throughout the Directory Server deployment, make the agreement between a master in a multi-master
replication environment, and use that master to replicate the changes across the Directory Server
deployment, as shown in Figure 20 (page 393).
CAUTION:
There can only be a single sync agreement between the Directory Server environment and the
Active Directory environment. Multiple sync agreements to the same Active Directory domain can
create entry conflicts.
Figure 20 Multi-master Directory Server - Windows domain synchronization
Directory Server passwords are synchronized along with other entry attributes because plain-text
passwords are retained in the Directory Server changelog. The Password Sync service is needed
to catch password changes made on Active Directory. Without the Password Sync service, it would
be impossible to have Windows passwords synchronized because passwords are hashed in Active
Directory, and the Windows hashing function is incompatible with the one used by Directory Server.
9.2 Configuring Windows Sync
Configuring synchronization is very similar to configuring replication. It requires configuring the
database as a master with a changelog and creating an agreement to define synchronization. A
common user identity, a sync manager, connects to the Windows Sync peer to send updates from
the Directory Server and to check for updates to synchronize back to the Directory Server.
9.2 Configuring Windows Sync 393