8.2.1. User Attribute Synchronization
FreeIPA synchronizes a subset of user attributes between FreeIPA and Active Directory user entries. Any other attributes present in the entry, either in FreeIPA or in Active Directory, are ignored by synchronization.
Although there are significant schema differences between the Active Directory LDAP schema and the 389 Directory Server LDAP schema used by FreeIPA, there are many attributes that are the same. These attributes are simply synchronized between the Active Directory and FreeIPA user entries, with no changes to the attribute name or value format.
Some attributes have different names but still have direct parity between FreeIPA (which uses 389 Directory Server) and Active Directory. These attributes are mapped by the synchronization process.
8.2.1.1. User Schema Differences between FreeIPA and Active Directory
Even though attributes may be successfully synced between Active Directory and FreeIPA, there may still be differences in how Active Directory and FreeIPA define the underlying X.500 object classes. This could lead to differences in how the data are handled in the different LDAP services.
This section describes the differences in how Active Directory and FreeIPA handle some of the attributes which can be synchronized between the two domains.
8.2.1.1.1. Values for cn Attributes
In 389 Directory Server, the cn
attribute can be multi-valued, while in Active Directory this attribute must have only a single value. When the FreeIPA cn
attribute is synchronized, then, only one value is sent to the Active Directory peer.
What this means for synchronization is that,potentially, if a cn
value is added to an Active Directory entry and that value is not one of the values for cn
in FreeIPA, then all of the FreeIPA cn
values are overwritten with the single Active Directory value.
One other important difference is that Active Directory uses the cn
attribute as its naming attribute, where FreeIPA uses uid
. This means that there is the potential to rename the entry entirely (and accidentally) if the cn
attribute is edited in the FreeIPA. If that cn
change is written over to the Active Directory entry, then the entry is renamed, and the new named entry is written back over to FreeIPA.
8.2.1.1.2. Values for street and streetAddress
Active Directory uses the attribute streetAddress
for a user or group's postal address; this is the way that 389 Directory Server uses the street
attribute. There are two important differences in the way that Active Directory and FreeIPA use the streetAddress
and street
attributes, respectively:
In 389 Directory Server, streetAddress
is an alias for street
. Active Directory also has the street
attribute, but it is a separate attribute that can hold an independent value, not an alias for streetAddress
.
Active Directory defines both streetAddress
and street
as single-valued attributes, while 389 Directory Server defines street
as a multi-valued attribute, as specified in RFC 4519.
Because of the different ways that 389 Directory Server and Active Directory handle streetAddress
and street
attributes, there are two rules to follow when setting address attributes in Active Directory and FreeIPA:
The synchronization process maps streetAddress
in the Active Directory entry to street
in FreeIPA. To avoid conflicts, the street
attribute should not be used in Active Directory.
Only one FreeIPA street
attribute value is synced to Active Directory. If the streetAddress
attribute is changed in Active Directory and the new value does not already exist in FreeIPA, then all street
attribute values in FreeIPA are replaced with the new, single Active Directory value.
8.2.1.1.3. Constraints on the initials Attribute
For the initials
attribute, Active Directory imposes a maximum length constraint of six characters, but 389 Directory Server does not have a length limit. If an initials
attribute longer than six characters is added to FreeIPA, the value is trimmed when it is synchronized with the Active Directory entry.
8.2.1.1.4. Requiring the surname (sn) Attribute
Active Directory allows person
entries to be created without a surname attribute. However, RFC 4519 defines the person
object class as requiring a surname attribute, and this is the definition used in Directory Server.
If an Active Directory person
entry is created without a surname attribute, that entry will not be synced over to FreeIPA since it fails with an object class violation.
8.2.1.2. Active Directory Entries and RFC 2307 Attributes
Windows uses unique, random security IDs (SIDs) to identify users. These SIDs are assigned in blocks or ranges, identifying different system user types within the Windows domain. When users are synchronized between FreeIPA and Active Directory, Windows SIDs for users are mapped to the Unix UIDs used by the FreeIPA entry. Another way of saying this is that the Windows SID is the only ID within the Windows entry which is used as an identifier in the corresponding Unix entry, and then it is used in a mapping.
When Active Directory domains interact with Unix-style applications or domains, then the Active Directory domain may use Services for Unix or IdM for Unix to enable Unix-style
uidNumber
and
gidNumber
attributes. This allows Windows user entries to follow the specifications for those attributes in
RFC 2307.
However, the uidNumber
and gidNumber
attributes are not actually used as the uidNumber
and gidNumber
attributes for the FreeIPA entry. The FreeIPA uidNumber
and gidNumber
attributes are generated when the Windows user is synced over.
The uidNumber
and gidNumber
attributes defined and used in FreeIPA are not the same uidNumber
and gidNumber
attributes defined and used in the Active Directory entry, and the numbers are not related.