Scalix Forums


http://www.scalix.com/forums/

Seperate AD-synced users from AD

http://www.scalix.com/forums/viewtopic.php?f=2&t=8467

Page 1 of 1

Seperate AD-synced users from AD

Posted: Fri Aug 10, 2007 10:46 am
by tdeklein
Hi,
I have a Scalix-installation that syncs its users from an Active Directory. Now I want to cut the connection to the AD. Obvious first step is to do no more omldapsyncs. I guess the next step would be to delete the ADMINISTERED-BY attribute for each user.

I am not so sure about this: The AD-users have in the system-directory the objectGUID from the AD as their GLOBAL-UNIQUE-ID. I wonder if I should change that to the value of the GLOBAL-UNIQUE-ID as it is in the userlist-directory for that user. My guess would be that for scalix the ID from the userlist-directory is relevant and the ID in the system-directory is just for matching the AD objectGUID to a CN during omldapsync.

Any comments or caveats on this?

Cheers
Thomas

Posted: Sat Aug 11, 2007 4:56 am
by chris
Hi Thomas,

actually, the GLOBAL-UNIQUE-ID in userlist and system should both be the same - it's a bit worrying that they're not.

Other than that you're correct that stopping omldapsync and removing the ADMINISTERED-BY attribute are the correct steps to decouple the AD.

There'll be no harm leaving the GUID values set to those that originally came from AD.

Chris

Posted: Fri Aug 17, 2007 3:13 am
by tdeklein
Hi Chris,

chris wrote:actually, the GLOBAL-UNIQUE-ID in userlist and system should both be the same - it's a bit worrying that they're not.
Chris


So far I have seen
* AD-objectGUID in SYSTEM, SX-ID in USERLIST
* almost identical IDs except for the first char: 1 in USERLIST and 0 in
SYSTEM"
* identical IDs in both directories.

chris wrote:Other than that you're correct that stopping omldapsync and removing the ADMINISTERED-BY attribute are the correct steps to decouple the AD.
Chris


Just removing the ADMINISTERED-BY attribute did not work. Only when I set it to "scalix" I was able to administer the users via SAC. But as soon as the GLOBAL-UNIQUE-ID is identical (or almost identical, as the entries with the difference in the first char imply) in both directories I can remove the ADMINISTERED-BY and edit the user in SAC.

chris wrote:There'll be no harm leaving the GUID values set to those that originally came from AD.
Chris


Is there any documentation (i. e. technote) you can point me to about the systematic behind this?

Cheers
Thomas

Posted: Fri Aug 17, 2007 1:09 pm
by dkelly
What version of the server are you running with ? I believe we resolved this issue with Scalix 11.1

Cheers

Dave

Posted: Sat Aug 18, 2007 9:24 am
by tdeklein
dkelly wrote:What version of the server are you running with ? I believe we resolved this issue with Scalix 11.1


This is still a 10.0.5 Server (fortunately it is the last 10.x I take care of and will soon be 11.x).

Cheers
Thomas
All times are UTC-04:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/