HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
9.4.3.2 Configuring group sync in the command line
To enable synchronization through the command line, add the required sync attributes to an entry
or create an entry with those attributes.
Three schema elements are required for synchronization:
• The ntGroup object class.
• The ntUserDomainID attribute, to give the Windows ID for the entry.
• The ntGroupCreateNewAccount attribute, to signal to the synchronization plug-in to
synchronize the Directory Server entry over to Active Directory.
The ntGroupDeleteAccount attribute is optional, but this sets whether to delete the entry
automatically from the Active Directory domain if it is deleted in the Directory Server.
For example:
ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com
dn: cn=Example Group, ou=Groups, dc=example,dc=com
changetype: modify
add: objectClass
objectClass:ntGroup
-
add: ntUserDomainId
ntUserDomainId: example-group
-
add: ntGroupCreateNewAccount
ntGroupCreateNewAccount: true
-
add: ntGroupDeleteAccount
ntGroupDeleteAccount: true
Many additional Windows and group attributes can be added to the entry. All the schema that is
synchronized is listed in “Group attributes synchronized between Directory Server and Active
Directory” (page 411). Windows-specific attributes, belonging to the ntGroup object class, are
described in more detail in the HP-UX Directory Server schema reference.
9.4.4 Configuring group sync for Active Directory groups
Synchronization for Windows users (users that originate in the Active Directory domain) is configured
in the synchronization agreement.
9.4.4.1 Configuring group sync in the console
1. Open the Configuration tab and expand the Replication folder.
2. Open the appropriate database, and select the synchronization agreement.
414 Synchronizing Directory Server with Microsoft Active Directory