This doc describes the enhancements added to the Windows Sync.
Windows Sync was originally designed between a subtree on the Directory Server (DS) and the Active Directory (AD), for instance, “ou=People,dc=example,dc=com” on the Directory server and “cn=Users,dc=example,dc=com” on the Active Directory. But there is a requirements to synchronize between more pairs, which allows to sync entries under ou=People as well as ou=Groups, separately.
There is a requirement to restlict entries under the subtree by filters. For inctance, by setting (|(cn=user)(cn=group)), only entries which contain “user” or “group” in the cn value are synchronized.
AD returns up to MaxValRange number of multi-valued attribute values in one search. If more attribute values exist, unless WinSync in DS does not repeat the search with increasing the range, DS cannot retrieve all the values. The repeated range retrieval is added.
new config parameter in windwows sync agreement:
winSyncSubtreePair: DS_Subtree:AD_Subtree
Example:
winSyncSubtreePair: ou=OU1,dc=DSexample,dc=com:ou=OU1,DC=ADexample,DC=com
winSyncSubtreePair: ou=OU2,dc=DSexample,dc=com:ou=OU2,DC=ADexample,DC=com
winSyncSubtreePair: ou=OU3,dc=DSexample,dc=com:ou=OU3,DC=ADexample,DC=com
new config parameters in windwows sync agreement:
winSyncWindowsFilter: additional_filter_on_AD
winSyncDirectoryFilter: additional_filter_on_DS
Example:
winSyncWindowsFilter: (|(cn=*user*)(cn=*group*))
winSyncDirectoryFilter: (|(uid=*user*)(cn=*group*))
None.
AD returns up to MaxValRange number of multi-valued attribute values in one search. If more attribute values exist, subtype “;range=0-(MaxValRange-1)” is added to the type. AD Client (DS in this case) has to repeat the search with “;range=MaxValRange-” then “;range=(2MaxValRange)-” and so on until the values with the subtype “;range=low-” are returned.