Hi,
I have a Scalix-installation that syncs its users from an Active Directory. Now I want to cut the connection to the AD. Obvious first step is to do no more omldapsyncs. I guess the next step would be to delete the ADMINISTERED-BY attribute for each user.
I am not so sure about this: The AD-users have in the system-directory the objectGUID from the AD as their GLOBAL-UNIQUE-ID. I wonder if I should change that to the value of the GLOBAL-UNIQUE-ID as it is in the userlist-directory for that user. My guess would be that for scalix the ID from the userlist-directory is relevant and the ID in the system-directory is just for matching the AD objectGUID to a CN during omldapsync.
Any comments or caveats on this?
Cheers
Thomas
Seperate AD-synced users from AD
Moderators: ScalixSupport, admin
-
tdeklein
- Posts: 21
- Joined: Thu Apr 28, 2005 8:18 am
- Location: Germany
-
chris
- Scalix Star
- Posts: 321
- Joined: Mon May 09, 2005 2:56 pm
- Location: Freiburg, Germany
Hi Thomas,
actually, the GLOBAL-UNIQUE-ID in userlist and system should both be the same - it's a bit worrying that they're not.
Other than that you're correct that stopping omldapsync and removing the ADMINISTERED-BY attribute are the correct steps to decouple the AD.
There'll be no harm leaving the GUID values set to those that originally came from AD.
Chris
actually, the GLOBAL-UNIQUE-ID in userlist and system should both be the same - it's a bit worrying that they're not.
Other than that you're correct that stopping omldapsync and removing the ADMINISTERED-BY attribute are the correct steps to decouple the AD.
There'll be no harm leaving the GUID values set to those that originally came from AD.
Chris
-
tdeklein
- Posts: 21
- Joined: Thu Apr 28, 2005 8:18 am
- Location: Germany
Hi Chris,
So far I have seen
* AD-objectGUID in SYSTEM, SX-ID in USERLIST
* almost identical IDs except for the first char: 1 in USERLIST and 0 in
SYSTEM"
* identical IDs in both directories.
Just removing the ADMINISTERED-BY attribute did not work. Only when I set it to "scalix" I was able to administer the users via SAC. But as soon as the GLOBAL-UNIQUE-ID is identical (or almost identical, as the entries with the difference in the first char imply) in both directories I can remove the ADMINISTERED-BY and edit the user in SAC.
Is there any documentation (i. e. technote) you can point me to about the systematic behind this?
Cheers
Thomas
chris wrote:actually, the GLOBAL-UNIQUE-ID in userlist and system should both be the same - it's a bit worrying that they're not.
Chris
So far I have seen
* AD-objectGUID in SYSTEM, SX-ID in USERLIST
* almost identical IDs except for the first char: 1 in USERLIST and 0 in
SYSTEM"
* identical IDs in both directories.
chris wrote:Other than that you're correct that stopping omldapsync and removing the ADMINISTERED-BY attribute are the correct steps to decouple the AD.
Chris
Just removing the ADMINISTERED-BY attribute did not work. Only when I set it to "scalix" I was able to administer the users via SAC. But as soon as the GLOBAL-UNIQUE-ID is identical (or almost identical, as the entries with the difference in the first char imply) in both directories I can remove the ADMINISTERED-BY and edit the user in SAC.
chris wrote:There'll be no harm leaving the GUID values set to those that originally came from AD.
Chris
Is there any documentation (i. e. technote) you can point me to about the systematic behind this?
Cheers
Thomas
-
tdeklein
- Posts: 21
- Joined: Thu Apr 28, 2005 8:18 am
- Location: Germany
Who is online
Users browsing this forum: No registered users and 4 guests