<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/20/2012 04:54 PM, Dmitri Pal wrote:
<blockquote cite="mid:505B8298.2090101@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 09/20/2012 04:43 PM, Steven Jones wrote:
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div style="direction: ltr; font-family: Tahoma; color: rgb(0,
0, 0); font-size: 10pt;">Some comments on the win sync
agreement syntax.<br>
<br>
Hi,<br>
<br>
I'd like that command ipa-replica-manage connect "improved"
if possible,<br>
<br>
1) A flag on --win-subtree not to include sub-directories
under the specified OU= as I think it is why Ive picked up
lots of disabled users and templates. Also the capability to
specify more than one OU as I at least have 2 OU= with users
in (maybe it can do that I just dont see it)<br>
<br>
2) A flag something like --exclude='LDAP
criteria/attribute'=disabled such that any disabled users in
AD are not transferred, I just transferred 7 years of ex-users
and 200+ templates I would rather not have....now I think I
have a huge cleanup task. Not just exclude, say location, so
if I only want to sync users in one city (say)
--include-only="LDAP Location'=Wellington<br>
<br>
Not sure if these are hugely useful but they would have helped
me.<br>
</div>
</blockquote>
<br>
Thank you for the feedback.<br>
Would you mind filing BZs or trac tickets?<br>
</blockquote>
<br>
NM. Rich bit me.<br>
<br>
<br>
<br>
<blockquote cite="mid:505B8298.2090101@redhat.com" type="cite"> <br>
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E40546CF90C@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<div><br>
<div style="font-family: Tahoma; font-size: 13px;">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical Specialist - Linux RHCE</p>
<p>Victoria University, Wellington, NZ</p>
<p>0064 4 463 6272<br>
</p>
</div>
</div>
<div style="font-family: Times New Roman; color: rgb(0, 0, 0);
font-size: 16px;">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF385195"><font
color="#000000" face="Tahoma" size="2"><b>From:</b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>]
on behalf of Steven Jones [<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Steven.Jones@vuw.ac.nz">Steven.Jones@vuw.ac.nz</a>]<br>
<b>Sent:</b> Thursday, 20 September 2012 2:48 p.m.<br>
<b>Cc:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] winsync agreement
wipes IPA users<br>
</font><br>
</div>
<div>
<div style="direction: ltr; font-family: Tahoma; color:
rgb(0, 0, 0); font-size: 10pt;"> it isnt,<br>
<br>
Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its
mostly working except Im also getting some "rubbish" so
its looking like the import script/query to AD isnt
right.<br>
<div><br>
<div style="font-family: Tahoma; font-size: 13px;">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical Specialist - Linux RHCE</p>
<p>Victoria University, Wellington, NZ</p>
<p>0064 4 463 6272<br>
</p>
</div>
</div>
<div style="font-family: Times New Roman; color: rgb(0,
0, 0); font-size: 16px;">
<hr tabindex="-1">
<div id="divRpF897098" style="direction: ltr;"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>]
on behalf of Steven Jones [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Steven.Jones@vuw.ac.nz">Steven.Jones@vuw.ac.nz</a>]<br>
<b>Sent:</b> Thursday, 20 September 2012 12:15
p.m.<br>
<b>Cc:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] winsync
agreement wipes IPA users<br>
</font><br>
</div>
<div>
<div style="direction: ltr; font-family: Tahoma;
color: rgb(0, 0, 0); font-size: 10pt;"> Hi,<br>
<br>
I have -win-subtree cn= etc I take it that cn= is
fine and that ou= and cn= are the same thing?<br>
<div><br>
<div style="font-family: Tahoma; font-size:
13px;">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical Specialist - Linux RHCE</p>
<p>Victoria University, Wellington, NZ</p>
<p>0064 4 463 6272<br>
</p>
</div>
</div>
<div style="font-family: Times New Roman; color:
rgb(0, 0, 0); font-size: 16px;">
<hr tabindex="-1">
<div id="divRpF542911" style="direction: ltr;"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
Rich Megginson [<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Thursday, 20 September 2012
11:03 a.m.<br>
<b>To:</b> Steven Jones<br>
<b>Cc:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] winsync
agreement wipes IPA users<br>
</font><br>
</div>
<div>On 09/19/2012 04:55 PM, Steven Jones wrote:
<blockquote type="cite">
<div style="direction: ltr; font-family:
Tahoma; color: rgb(0, 0, 0); font-size:
10pt;"> Hi,<br>
<br>
<br>
Sample of errors log,<br>
<br>
<div>=========<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin - changelog
program - _cl5GetDBFileByReplicaName:
found DB object 1bcf2e0 for database
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin - changelog
program - _cl5GetDBFileByReplicaName:
found DB object 1bcf2e0 for database
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin - ruv_update_ruv:
successfully committed csn
504d01f7000000110000<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin -
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz"
(vuwunicoipam002:389): State:
stop_fatal_error -> stop_fatal_error<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin -
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz"
(vuwunicoipam003:389): State:
stop_fatal_error -> stop_fatal_error<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin -
ruv_add_csn_inprogress: successfully
inserted csn 504d01f8000000110000 into
pending list<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin - Purged state
information from entry
uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz
up to CSN 504d42c5000000040000<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin - changelog
program - _cl5GetDBFileByReplicaName:
found DB object 1bcf2e0 for database
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin - changelog
program - _cl5GetDBFileByReplicaName:
found DB object 1bcf2e0 for database
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin - ruv_update_ruv:
successfully committed csn
504d01f8000000110000<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin -
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz"
(vuwunicoipam002:389): State:
stop_fatal_error -> stop_fatal_error<br>
[17/Sep/2012:13:31:48 +1200]
NSMMReplicationPlugin -
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz"
(vuwunicoipam003:389): State:
stop_fatal_error -> stop_fatal_error<br>
=========<br>
</div>
</div>
</blockquote>
<br>
Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the
windows sync agreement?<br>
<br>
<blockquote type="cite">
<div style="direction: ltr; font-family:
Tahoma; color: rgb(0, 0, 0); font-size:
10pt;">
<div><br>
<br>
<br>
<div style="font-family: Tahoma;
font-size: 13px;">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical Specialist - Linux RHCE</p>
<p>Victoria University, Wellington, NZ</p>
<p>0064 4 463 6272<br>
</p>
</div>
</div>
<div style="font-family: Times New Roman;
color: rgb(0, 0, 0); font-size: 16px;">
<hr tabindex="-1">
<div id="divRpF386226" style="direction:
ltr;"><font color="#000000"
face="Tahoma" size="2"><b>From:</b>
Rich Megginson [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Wednesday, 19 September
2012 12:32 a.m.<br>
<b>To:</b> Steven Jones<br>
<b>Cc:</b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users]
winsync agreement wipes IPA users<br>
</font><br>
</div>
<div>On 09/17/2012 07:10 PM, Steven
Jones wrote:
<blockquote type="cite">
<div style="direction: ltr;
font-family: Tahoma; color: rgb(0,
0, 0); font-size: 10pt;"> Hi,<br>
<br>
I understand that I'll lose users
that are cn=Staff_Admins,dc=etc<br>
<br>
So the Q is why I am losing users
in the --win-subtree
cn=VUW_Staff,dc= etc <br>
</div>
</blockquote>
<br>
<br>
<br>
<blockquote type="cite">
<div style="direction: ltr;
font-family: Tahoma; color: rgb(0,
0, 0); font-size: 10pt;"> <br>
This I dont understand....<br>
<br>
I have the -v already, anyway to
make it very verbose?<br>
</div>
</blockquote>
<br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://port389.org/wiki/FAQ#Troubleshooting"
target="_blank">http://port389.org/wiki/FAQ#Troubleshooting</a><br>
Use the replication log level 8192<br>
I'd like to see the directory server
errors log
/var/log/dirsrv/slapd-DOMAIN/errors
when winsync deletes entries under the
--win-subtree cn=VUW_Staff,dc= etc <br>
<br>
<blockquote type="cite">
<div style="direction: ltr;
font-family: Tahoma; color: rgb(0,
0, 0); font-size: 10pt;">
<div><br>
<div style="font-family: Tahoma;
font-size: 13px;">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical Specialist -
Linux RHCE</p>
<p>Victoria University,
Wellington, NZ</p>
<p>0064 4 463 6272<br>
</p>
</div>
</div>
<div style="font-family: Times New
Roman; color: rgb(0, 0, 0);
font-size: 16px;">
<hr tabindex="-1">
<div id="divRpF72378"
style="direction: ltr;"><font
color="#000000"
face="Tahoma" size="2"><b>From:</b>
Rich Megginson [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Tuesday, 18
September 2012 12:47 p.m.<br>
<b>To:</b> Steven Jones<br>
<b>Cc:</b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com" target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re:
[Freeipa-users] winsync
agreement wipes IPA users<br>
</font><br>
</div>
<div>On 09/17/2012 06:17 PM,
Steven Jones wrote:
<blockquote type="cite">
<div style="direction: ltr;
font-family: Tahoma;
color: rgb(0, 0, 0);
font-size: 10pt;"> Hi,<br>
<br>
The first time missed the
--win-subtree settings so
I wiped the admins in the
IPA admin group and users
as they were not in
cn=users as per the bug.
The second time as far as
I can tell I specified the
correct cn via win-subtree
flag but I still appear to
have lost the users in
IPA.....now I expected to
lose the admins but the
loss of users as well
confounds me.<br>
<br>
<div>I did a ldapsearch as
per checking and its
seems to be saying the
right folder/ou/cn but
IPA is empty.<br>
<br>
Hence I was wondering if
there was a log
recording what the
update was doing so I
could try and figure out
the mistake. Ive tried
greping cant find any
indication.<br>
<br>
I will re-try with -v,
verbose.<br>
</div>
</div>
</blockquote>
<br>
It is not clear from the
manuals, but no matter what
-win-subtree you specify,
winsync will search AD
starting from the dc=domain
suffix. So, for example, if
you have<br>
cn=mystaff,cn=staff,dc=example,dc=com<br>
and you specify<br>
--win-subtree
"cn=mystaff,cn=staff,dc=example,dc=com"<br>
winsync will still search
starting from
dc=example,dc=com and will hit
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://fedorahosted.org/389/ticket/355" target="_blank">
ticket/355</a> if there are
any users outside of
cn=mystaff,cn=staff,dc=example,dc=com
that have the same username as
a user in IPA.<br>
<br>
<blockquote type="cite">
<div style="direction: ltr;
font-family: Tahoma;
color: rgb(0, 0, 0);
font-size: 10pt;">
<div><br>
<div style="font-family:
Tahoma; font-size:
13px;">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical
Specialist - Linux
RHCE</p>
<p>Victoria
University,
Wellington, NZ</p>
<p>0064 4 463 6272<br>
</p>
</div>
</div>
<div style="font-family:
Times New Roman; color:
rgb(0, 0, 0); font-size:
16px;">
<hr tabindex="-1">
<div id="divRpF82792"
style="direction:
ltr;"><font
color="#000000"
face="Tahoma"
size="2"><b>From:</b>
Rich Megginson [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>]<br>
<b>Sent:</b>
Tuesday, 18
September 2012 11:37
a.m.<br>
<b>To:</b> Steven
Jones<br>
<b>Cc:</b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com"
target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re:
[Freeipa-users]
winsync agreement
wipes IPA users<br>
</font><br>
</div>
<div>On 09/17/2012 04:17
PM, Steven Jones
wrote:
<blockquote
type="cite">
<style id="owaParaStyle" type="text/css">
<!--
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
body
{scrollbar-base-color:undefined;
scrollbar-highlight-color:undefined;
scrollbar-darkshadow-color:undefined;
scrollbar-arrow-color:undefined}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
-->
BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}BODY {scrollbar-base-color:undefined;scrollbar-highlight-color:undefined;scrollbar-darkshadow-color:undefined;scrollbar-track-color:undefined;scrollbar-arrow-color:undefined}</style>
<div
style="direction:
ltr; font-family:
Tahoma; color:
rgb(0, 0, 0);
font-size: 10pt;">
Hi,<br>
<br>
I just tried to do
a winsync
agreement with
specifying the AD
point as
cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz
as my users are
not in the users
folder but the
VUW_Staff folder
(at the same
level) and it
wiped all IPA
users that are
also in AD. </div>
</blockquote>
<br>
Yes, this is what
happens with <a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://fedorahosted.org/389/ticket/355"
target="_blank">
https://fedorahosted.org/389/ticket/355</a><br>
#355 winsync
should not delete
entry that appears to
be out of scope<br>
<br>
<blockquote
type="cite">
<div
style="direction:
ltr; font-family:
Tahoma; color:
rgb(0, 0, 0);
font-size: 10pt;">
While doing the
actual update does
this get verbosly
logged anywhere as
opposed to "update
in progress"
dumped to the
screen? Something
went badly wrong,
I just dont know
what.<br>
</div>
</blockquote>
<br>
You are seeing
something different
than #355?<br>
<br>
<blockquote
type="cite">
<div
style="direction:
ltr; font-family:
Tahoma; color:
rgb(0, 0, 0);
font-size: 10pt;">
<div><br>
:/<br>
<br>
<div
style="font-family:
Tahoma;
font-size:
13px;">
<p>regards</p>
<p>Steven
Jones</p>
<p>Technical
Specialist -
Linux RHCE</p>
<p>Victoria
University,
Wellington, NZ</p>
<p>0064 4 463
6272</p>
</div>
</div>
<br>
</div>
<br>
<fieldset
class="mimeAttachmentHeader"
target="_blank"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>