<html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body ocsi="0" fpstyle="1" bgcolor="#FFFFFF"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">disabled may not be logical as then once a user becomes disabled in AD, IPA will remove it rather than act and disable it.<br> <div><br> The way I read this winsync is its running the same command as I did initially by hand every 5mins...<br> <br> <br> <div style="font-family: Tahoma; font-size: 13px;"> <p>regards</p> <p>Steven Jones</p> <p>Technical Specialist - Linux RHCE</p> <p>Victoria University, Wellington, NZ</p> <p>0064 4 463 6272<br> </p> </div> </div> <div style="font-family: Times New Roman; color: rgb(0, 0, 0); font-size: 16px;"> <hr tabindex="-1"> <div style="direction: ltr;" id="divRpF235685"><font color="#000000" face="Tahoma" size="2"><b>From:</b> Rich Megginson [rmeggins@redhat.com]<br> <b>Sent:</b> Friday, 21 September 2012 8:53 a.m.<br> <b>To:</b> Steven Jones<br> <b>Cc:</b> freeipa-users@redhat.com<br> <b>Subject:</b> Re: [Freeipa-users] winsync agreement wipes IPA users<br> </font><br> </div> <div></div> <div>On 09/20/2012 02:43 PM, Steven Jones wrote: <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> Some comments on the win sync agreement syntax.<br> <br> Hi,<br> <br> I'd like that command ipa-replica-manage connect "improved" if possible,<br> <br> 1) A flag on --win-subtree not to include sub-directories under the specified OU= as I think it is why Ive picked up lots of disabled users and templates. Also the capability to specify more than one OU as I at least have 2 OU= with users in (maybe it can do that I just dont see it)<br> </div> </blockquote> <a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/ticket/460" target="_blank">https://fedorahosted.org/389/ticket/460</a><br> <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> <br> 2) A flag something like --exclude='LDAP criteria/attribute'=disabled such that any disabled users in AD are not transferred, I just transferred 7 years of ex-users and 200+ templates I would rather not have....now I think I have a huge cleanup task. Not just exclude, say location, so if I only want to sync users in one city (say) --include-only="LDAP Location'=Wellington<br> </div> </blockquote> <a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/ticket/460" target="_blank">https://fedorahosted.org/389/ticket/460</a> <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> <br> Not sure if these are hugely useful but they would have helped me.<br> <div><br> <div style="font-family: Tahoma; font-size: 13px;"> <p>regards</p> <p>Steven Jones</p> <p>Technical Specialist - Linux RHCE</p> <p>Victoria University, Wellington, NZ</p> <p>0064 4 463 6272<br> </p> </div> </div> <div style="font-family: Times New Roman; color: rgb(0, 0, 0); font-size: 16px;"> <hr tabindex="-1"> <div id="divRpF385195" style="direction: ltr;"><font color="#000000" face="Tahoma" size="2"><b>From:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com" target="_blank"> freeipa-users-bounces@redhat.com</a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>] on behalf of Steven Jones [<a class="moz-txt-link-abbreviated" href="mailto:Steven.Jones@vuw.ac.nz" target="_blank">Steven.Jones@vuw.ac.nz</a>]<br> <b>Sent:</b> Thursday, 20 September 2012 2:48 p.m.<br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: [Freeipa-users] winsync agreement wipes IPA users<br> </font><br> </div> <div> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> it isnt,<br> <br> Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except Im also getting some "rubbish" so its looking like the import script/query to AD isnt right.<br> <div><br> <div style="font-family: Tahoma; font-size: 13px;"> <p>regards</p> <p>Steven Jones</p> <p>Technical Specialist - Linux RHCE</p> <p>Victoria University, Wellington, NZ</p> <p>0064 4 463 6272<br> </p> </div> </div> <div style="font-family: Times New Roman; color: rgb(0, 0, 0); font-size: 16px;"> <hr tabindex="-1"> <div id="divRpF897098" style="direction: ltr;"><font color="#000000" face="Tahoma" size="2"><b>From:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com" target="_blank"> freeipa-users-bounces@redhat.com</a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>] on behalf of Steven Jones [<a class="moz-txt-link-abbreviated" href="mailto:Steven.Jones@vuw.ac.nz" target="_blank">Steven.Jones@vuw.ac.nz</a>]<br> <b>Sent:</b> Thursday, 20 September 2012 12:15 p.m.<br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: [Freeipa-users] winsync agreement wipes IPA users<br> </font><br> </div> <div> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> Hi,<br> <br> I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are the same thing?<br> <div><br> <div style="font-family: Tahoma; font-size: 13px;"> <p>regards</p> <p>Steven Jones</p> <p>Technical Specialist - Linux RHCE</p> <p>Victoria University, Wellington, NZ</p> <p>0064 4 463 6272<br> </p> </div> </div> <div style="font-family: Times New Roman; color: rgb(0, 0, 0); font-size: 16px;"> <hr tabindex="-1"> <div id="divRpF542911" style="direction: ltr;"><font color="#000000" face="Tahoma" size="2"><b>From:</b> Rich Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>]<br> <b>Sent:</b> Thursday, 20 September 2012 11:03 a.m.<br> <b>To:</b> Steven Jones<br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: [Freeipa-users] winsync agreement wipes IPA users<br> </font><br> </div> <div>On 09/19/2012 04:55 PM, Steven Jones wrote: <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> Hi,<br> <br> <br> Sample of errors log,<br> <br> <div>=========<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f7000000110000<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000 into pending list<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 504d42c5000000040000<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 504d01f8000000110000<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: stop_fatal_error -> stop_fatal_error<br> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: stop_fatal_error -> stop_fatal_error<br> =========<br> </div> </div> </blockquote> <br> Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?<br> <br> <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> <div><br> <br> <br> <div style="font-family: Tahoma; font-size: 13px;"> <p>regards</p> <p>Steven Jones</p> <p>Technical Specialist - Linux RHCE</p> <p>Victoria University, Wellington, NZ</p> <p>0064 4 463 6272<br> </p> </div> </div> <div style="font-family: Times New Roman; color: rgb(0, 0, 0); font-size: 16px;"> <hr tabindex="-1"> <div id="divRpF386226" style="direction: ltr;"><font color="#000000" face="Tahoma" size="2"><b>From:</b> Rich Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>]<br> <b>Sent:</b> Wednesday, 19 September 2012 12:32 a.m.<br> <b>To:</b> Steven Jones<br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: [Freeipa-users] winsync agreement wipes IPA users<br> </font><br> </div> <div>On 09/17/2012 07:10 PM, Steven Jones wrote: <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> Hi,<br> <br> I understand that I'll lose users that are cn=Staff_Admins,dc=etc<br> <br> So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc <br> </div> </blockquote> <br> <br> <br> <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> <br> This I dont understand....<br> <br> I have the -v already, anyway to make it very verbose?<br> </div> </blockquote> <br> <a class="moz-txt-link-freetext" href="http://port389.org/wiki/FAQ#Troubleshooting" target="_blank">http://port389.org/wiki/FAQ#Troubleshooting</a><br> Use the replication log level 8192<br> I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc <br> <br> <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> <div><br> <div style="font-family: Tahoma; font-size: 13px;"> <p>regards</p> <p>Steven Jones</p> <p>Technical Specialist - Linux RHCE</p> <p>Victoria University, Wellington, NZ</p> <p>0064 4 463 6272<br> </p> </div> </div> <div style="font-family: Times New Roman; color: rgb(0, 0, 0); font-size: 16px;"> <hr tabindex="-1"> <div id="divRpF72378" style="direction: ltr;"><font color="#000000" face="Tahoma" size="2"><b>From:</b> Rich Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>]<br> <b>Sent:</b> Tuesday, 18 September 2012 12:47 p.m.<br> <b>To:</b> Steven Jones<br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: [Freeipa-users] winsync agreement wipes IPA users<br> </font><br> </div> <div>On 09/17/2012 06:17 PM, Steven Jones wrote: <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> Hi,<br> <br> The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.....now I expected to lose the admins but the loss of users as well confounds me.<br> <br> <div>I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty.<br> <br> Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication.<br> <br> I will re-try with -v, verbose.<br> </div> </div> </blockquote> <br> It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have<br> cn=mystaff,cn=staff,dc=example,dc=com<br> and you specify<br> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"<br> winsync will still search starting from dc=example,dc=com and will hit <a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/ticket/355" target="_blank"> ticket/355</a> if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA.<br> <br> <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> <div><br> <div style="font-family: Tahoma; font-size: 13px;"> <p>regards</p> <p>Steven Jones</p> <p>Technical Specialist - Linux RHCE</p> <p>Victoria University, Wellington, NZ</p> <p>0064 4 463 6272<br> </p> </div> </div> <div style="font-family: Times New Roman; color: rgb(0, 0, 0); font-size: 16px;"> <hr tabindex="-1"> <div id="divRpF82792" style="direction: ltr;"><font color="#000000" face="Tahoma" size="2"><b>From:</b> Rich Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>]<br> <b>Sent:</b> Tuesday, 18 September 2012 11:37 a.m.<br> <b>To:</b> Steven Jones<br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: [Freeipa-users] winsync agreement wipes IPA users<br> </font><br> </div> <div>On 09/17/2012 04:17 PM, Steven Jones wrote: <blockquote type="cite"><style id="owaParaStyle" type="text/css">  BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> Hi,<br> <br> I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. </div> </blockquote> <br> Yes, this is what happens with <a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/ticket/355" target="_blank"> https://fedorahosted.org/389/ticket/355</a><br> #355 winsync should not delete entry that appears to be out of scope<br> <br> <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> While doing the actual update does this get verbosly logged anywhere as opposed to "update in progress" dumped to the screen? Something went badly wrong, I just dont know what.<br> </div> </blockquote> <br> You are seeing something different than #355?<br> <br> <blockquote type="cite"> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;"> <div><br> :/<br> <br> <div style="font-family: Tahoma; font-size: 13px;"> <p>regards</p> <p>Steven Jones</p> <p>Technical Specialist - Linux RHCE</p> <p>Victoria University, Wellington, NZ</p> <p>0064 4 463 6272</p> </div> </div> <br> </div> <br> <fieldset class="mimeAttachmentHeader" target="_blank"></fieldset> <br> <pre>_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> </div> </div> </div> </blockquote> <br> </div> </div> </div> </blockquote> <br> </div> </div> </div> </blockquote> <br> </div> </div> </div> </div> </div> </div> </div> </div> </div> <br> <fieldset class="mimeAttachmentHeader" target="_blank"></fieldset> <br> <pre>_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> </div> </div> </div> </body> </html>