[Freeipa-users] winsync agreement wipes IPA users
Dmitri Pal
dpal at redhat.com
Thu Sep 20 20:56:12 UTC 2012
On 09/20/2012 04:54 PM, Dmitri Pal wrote:
> On 09/20/2012 04:43 PM, Steven Jones wrote:
>> Some comments on the win sync agreement syntax.
>>
>> Hi,
>>
>> I'd like that command ipa-replica-manage connect "improved" if possible,
>>
>> 1) A flag on --win-subtree not to include sub-directories under the
>> specified OU= as I think it is why Ive picked up lots of disabled
>> users and templates. Also the capability to specify more than one OU
>> as I at least have 2 OU= with users in (maybe it can do that I just
>> dont see it)
>>
>> 2) A flag something like --exclude='LDAP criteria/attribute'=disabled
>> such that any disabled users in AD are not transferred, I just
>> transferred 7 years of ex-users and 200+ templates I would rather not
>> have....now I think I have a huge cleanup task. Not just exclude,
>> say location, so if I only want to sync users in one city (say)
>> --include-only="LDAP Location'=Wellington
>>
>> Not sure if these are hugely useful but they would have helped me.
>
> Thank you for the feedback.
> Would you mind filing BZs or trac tickets?
NM. Rich bit me.
>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ------------------------------------------------------------------------
>> *From:* freeipa-users-bounces at redhat.com
>> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones
>> [Steven.Jones at vuw.ac.nz]
>> *Sent:* Thursday, 20 September 2012 2:48 p.m.
>> *Cc:* freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>
>> it isnt,
>>
>> Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly
>> working except Im also getting some "rubbish" so its looking like the
>> import script/query to AD isnt right.
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ------------------------------------------------------------------------
>> *From:* freeipa-users-bounces at redhat.com
>> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones
>> [Steven.Jones at vuw.ac.nz]
>> *Sent:* Thursday, 20 September 2012 12:15 p.m.
>> *Cc:* freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>
>> Hi,
>>
>> I have -win-subtree cn= etc I take it that cn= is fine and that ou=
>> and cn= are the same thing?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ------------------------------------------------------------------------
>> *From:* Rich Megginson [rmeggins at redhat.com]
>> *Sent:* Thursday, 20 September 2012 11:03 a.m.
>> *To:* Steven Jones
>> *Cc:* freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>
>> On 09/19/2012 04:55 PM, Steven Jones wrote:
>>> Hi,
>>>
>>>
>>> Sample of errors log,
>>>
>>> =========
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
>>> database
>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
>>> database
>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv:
>>> successfully committed csn 504d01f7000000110000
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
>>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389):
>>> State: stop_fatal_error -> stop_fatal_error
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
>>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389):
>>> State: stop_fatal_error -> stop_fatal_error
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
>>> ruv_add_csn_inprogress: successfully inserted csn
>>> 504d01f8000000110000 into pending list
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state
>>> information from entry
>>> uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to
>>> CSN 504d42c5000000040000
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
>>> database
>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
>>> database
>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv:
>>> successfully committed csn 504d01f8000000110000
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
>>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389):
>>> State: stop_fatal_error -> stop_fatal_error
>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
>>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389):
>>> State: stop_fatal_error -> stop_fatal_error
>>> =========
>>
>> Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?
>>
>>>
>>>
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>> *Sent:* Wednesday, 19 September 2012 12:32 a.m.
>>> *To:* Steven Jones
>>> *Cc:* freeipa-users at redhat.com
>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>
>>> On 09/17/2012 07:10 PM, Steven Jones wrote:
>>>> Hi,
>>>>
>>>> I understand that I'll lose users that are cn=Staff_Admins,dc=etc
>>>>
>>>> So the Q is why I am losing users in the --win-subtree
>>>> cn=VUW_Staff,dc= etc
>>>
>>>
>>>
>>>>
>>>> This I dont understand....
>>>>
>>>> I have the -v already, anyway to make it very verbose?
>>>
>>> http://port389.org/wiki/FAQ#Troubleshooting
>>> Use the replication log level 8192
>>> I'd like to see the directory server errors log
>>> /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries
>>> under the --win-subtree cn=VUW_Staff,dc= etc
>>>
>>>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>> 0064 4 463 6272
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>> *Sent:* Tuesday, 18 September 2012 12:47 p.m.
>>>> *To:* Steven Jones
>>>> *Cc:* freeipa-users at redhat.com
>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>
>>>> On 09/17/2012 06:17 PM, Steven Jones wrote:
>>>>> Hi,
>>>>>
>>>>> The first time missed the --win-subtree settings so I wiped the
>>>>> admins in the IPA admin group and users as they were not in
>>>>> cn=users as per the bug. The second time as far as I can tell I
>>>>> specified the correct cn via win-subtree flag but I still appear
>>>>> to have lost the users in IPA.....now I expected to lose the
>>>>> admins but the loss of users as well confounds me.
>>>>>
>>>>> I did a ldapsearch as per checking and its seems to be saying the
>>>>> right folder/ou/cn but IPA is empty.
>>>>>
>>>>> Hence I was wondering if there was a log recording what the update
>>>>> was doing so I could try and figure out the mistake. Ive tried
>>>>> greping cant find any indication.
>>>>>
>>>>> I will re-try with -v, verbose.
>>>>
>>>> It is not clear from the manuals, but no matter what -win-subtree
>>>> you specify, winsync will search AD starting from the dc=domain
>>>> suffix. So, for example, if you have
>>>> cn=mystaff,cn=staff,dc=example,dc=com
>>>> and you specify
>>>> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"
>>>> winsync will still search starting from dc=example,dc=com and will
>>>> hit ticket/355 if there are any users outside of
>>>> cn=mystaff,cn=staff,dc=example,dc=com that have the same username
>>>> as a user in IPA.
>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>>> *Sent:* Tuesday, 18 September 2012 11:37 a.m.
>>>>> *To:* Steven Jones
>>>>> *Cc:* freeipa-users at redhat.com
>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>
>>>>> On 09/17/2012 04:17 PM, Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I just tried to do a winsync agreement with specifying the AD
>>>>>> point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my
>>>>>> users are not in the users folder but the VUW_Staff folder (at
>>>>>> the same level) and it wiped all IPA users that are also in AD.
>>>>>
>>>>> Yes, this is what happens with https://fedorahosted.org/389/ticket/355
>>>>> #355 winsync should not delete entry that appears to be out of
>>>>> scope
>>>>>
>>>>>> While doing the actual update does this get verbosly logged
>>>>>> anywhere as opposed to "update in progress" dumped to the
>>>>>> screen? Something went badly wrong, I just dont know what.
>>>>>
>>>>> You are seeing something different than #355?
>>>>>
>>>>>>
>>>>>> :/
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Steven Jones
>>>>>>
>>>>>> Technical Specialist - Linux RHCE
>>>>>>
>>>>>> Victoria University, Wellington, NZ
>>>>>>
>>>>>> 0064 4 463 6272
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120920/6bc4d364/attachment.htm>
More information about the Freeipa-users
mailing list