[Freeipa-users] winsync agreement wipes IPA users
Steven Jones
Steven.Jones at vuw.ac.nz
Sun Sep 23 19:35:19 UTC 2012
Hi,
Actually I am unable to see more than 2000 users in IPA, it seems to be a limit in IPA which coincides with AD's display limit....hence I was confused.
So it just happens that there is a default windows limit of 2000 users to display when you search. I am however fairly sure it stopped the complete sync, I need to double check, but Im pretty sure as I think I did searches in IPA and some users were not there initially (I then set the user's search to 20000 and it seemed to have all users there). However while wondering what was wrong I realised that I should be able to see 2028 in IPA (28 non-AD users), I couldnt, I still cant, I can only see 2000.
I found a setting saying 100 "somethings" pages? (sorry I forget and Im at home with no VPN right now) in IPA but when I try to increase it a selinux problem / config stops me, happens at the command line as well.So I have a case with RH support to fix that....
NB Once its fixed I will re-set the AD user to 2000 and backout the snapshot on the IPA master and re-test to make sure what I have said above is correct.
In which case, yes you need to mention it in the docs, though maybe its only a win2k3r2 issue. Its not a biggee as you can set the user to show 20,000, at the very least that will work.
I will re-test / double check all this before you commit time pls.
The other thing is when users come across they seem to have lost their IPA user group settings? again I need to check this as I was asked to urgently setup a rsync so left it before I'd looked in detail at that.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com]
Sent: Saturday, 22 September 2012 3:46 a.m.
To: dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
On 09/21/2012 09:18 AM, Dmitri Pal wrote:
> On 09/21/2012 11:07 AM, Rich Megginson wrote:
>> On 09/21/2012 09:04 AM, Dmitri Pal wrote:
>>> On 09/21/2012 09:23 AM, Rich Megginson wrote:
>>>> On 09/21/2012 05:21 AM, Martin Kosek wrote:
>>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your
>>>>> case
>>>>> nsslapd-sizelimit. This can be increased either globally or (this
>>>>> seems as a
>>>>> more secure solution) for a user you bind as:
>>>>>
>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
>>>>>
>>>>>
>>>> Steven, are you saying that winsync only pulled over 2000 out of 5700
>>>> users from AD into IPA? If so, then that's a limit on the winsync user
>>>> that must be increased in AD.
>>>>
>>> Rich, it seems that it might make sense to file an RFE for the winsync
>>> to support paging control.
>> AD supports the paging control? And this allows you to get around the
>> search limit?
>>
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
> The default usually 2K BTW.
https://fedorahosted.org/389/ticket/472
>
>>>>> Martin
>>>>>
>>>>> On 09/21/2012 04:43 AM, Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> It seems IPA has some sort of limit of searching it will only show
>>>>>> the first 2k
>>>>>> of user entries?
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Steven Jones
>>>>>>
>>>>>> Technical Specialist - Linux RHCE
>>>>>>
>>>>>> Victoria University, Wellington, NZ
>>>>>>
>>>>>> 0064 4 463 6272
>>>>>>
>>>>>> -------------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m.
>>>>>> *To:* Steven Jones
>>>>>> *Cc:* freeipa-users at redhat.com
>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>>
>>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have imported users, but there are 5700 of them but I only have
>>>>>>> 2000 which
>>>>>>> corresponds to the view that AD gives you by default. This makes
>>>>>>> me think
>>>>>>> that that limit is all the AD is allowing the query to see?
>>>>>> You can use
>>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
>>>>>> what winsync sees when it searches.
>>>>>>> Is there a way to expand it?
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Steven Jones
>>>>>>>
>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>
>>>>>>> Victoria University, Wellington, NZ
>>>>>>>
>>>>>>> 0064 4 463 6272
>>>>>>>
>>>>>>> -------------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> *From:* freeipa-users-bounces at redhat.com
>>>>>>> [freeipa-users-bounces at redhat.com]
>>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m.
>>>>>>> *Cc:* freeipa-users at redhat.com
>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>>>
>>>>>>> I have hundreds of disable users in IPA now transferred from AD, is
>>>>>>> there a
>>>>>>> quick/clean way to purge them from IPA?
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Steven Jones
>>>>>>>
>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>
>>>>>>> Victoria University, Wellington, NZ
>>>>>>>
>>>>>>> 0064 4 463 6272
>>>>>>>
>>>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list