HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
9.7.2.1 Creating a basic sync agreement
The most basic synchronization agreement defines the Directory Server database and the Active
Directory sync peer:
• For the Directory Server database:
The replicated subtree in the directory (nsds7DirectoryReplicaSubtree)◦
◦ The Directory Server root DN (nsDS5ReplicaRoot)
• For the Active Directory domain:
The replicated subtree in the Active Directory domain (nsds7WindowsReplicaSubtree)◦
◦ The Active Directory domain name (nsds7WindowsDomain)
It also defines the connection information that the Directory Server uses to bind to the Active Directory
domain:
• The Active Directory host name (nsDS5ReplicaHost).
• The Active Directory port (nsDS5ReplicaPort).
• The type of connection (nsDS5ReplicaTransportInfo), which can be standard (LDAP),
SSL (SSL), or Start TLS (TLS), which is a secure connection over a standard port.
• The username (nsDS5ReplicaBindDN) and password (nsDS5ReplicaBindCredentials)
for the Directory Server to use to bind to the Active Directory server.
For example:
ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com
dn: cn=ExampleSyncAgreement,cn=sync replica,cn="dc=example,dc=com",cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsDSWindowsReplicationAgreement
cn: ExampleSyncAgreement
nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
nsds7DirectoryReplicaSubtree: ou=People, dc=example,dc=com
nsds7WindowsDomain: ad1
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaHost: ad1.windows-server.example.com
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=sync manager
nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
nsDS5ReplicaTransportInfo: TLS
nsds7NewWinUserSyncEnabled: on
nsds7NewWinGroupSyncEnabled: on
9.7.2.2 Setting sync schedules
Synchronization works two ways. The Directory Server sends its updates to Active Directory on a
configurable schedule, similar to replication, using the nsds5replicaupdateschedule attribute.
The Directory Server polls the Active Directory to check for changes; the frequency that it checks
the Active Directory server is set in the winSyncInterval attribute.
By default, the Directory Server update schedule is to always be synchronized. The Active Directory
interval is to poll the Active Directory every five minutes.
To change the schedule the Directory Server uses to send its updates to the Active Directory, edit
the nsds5replicaupdateschedule attribute. The schedule is set with start (SSSS) and end
(EEEE) times in the form HHMM, using a 24-hour clock. The days to schedule synchronization updates
are use ranging from 0 (Sunday) to 6 (Saturday).
nsds5replicaupdateschedule: SSSS-EEEE DDDDDDD
For example, this schedules synchronization to run from noon to 2:00pm on Sunday, Tuesday,
Thursday, and Saturday:
nsds5replicaupdateschedule: 1200-1400 0246
422 Synchronizing Directory Server with Microsoft Active Directory