[Freeipa-users] winsync agreement wipes IPA users

Steven Jones Steven.Jones at vuw.ac.nz
Tue Sep 25 03:17:43 UTC 2012 

Hi,

I am trying to run this and getting search exceeded.

ldapsearch -xLLL -D <winsync_binddn> -w <passwd> -h <AD_host> -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn > ad.dns.txt

Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer.

:(

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com]
Sent: Saturday, 22 September 2012 3:46 a.m.
To: dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/21/2012 09:18 AM, Dmitri Pal wrote:
> On 09/21/2012 11:07 AM, Rich Megginson wrote:
>> On 09/21/2012 09:04 AM, Dmitri Pal wrote:
>>> On 09/21/2012 09:23 AM, Rich Megginson wrote:
>>>> On 09/21/2012 05:21 AM, Martin Kosek wrote:
>>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your
>>>>> case
>>>>> nsslapd-sizelimit. This can be increased either globally or (this
>>>>> seems as a
>>>>> more secure solution) for a user you bind as:
>>>>>
>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
>>>>>
>>>>>
>>>> Steven, are you saying that winsync only pulled over 2000 out of 5700
>>>> users from AD into IPA? If so, then that's a limit on the winsync user
>>>> that must be increased in AD.
>>>>
>>> Rich, it seems that it might make sense to file an RFE for the winsync
>>> to support paging control.
>> AD supports the paging control?  And this allows you to get around the
>> search limit?
>>
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
> The default usually 2K BTW.
https://fedorahosted.org/389/ticket/472
>
>>>>> Martin
>>>>>
>>>>> On 09/21/2012 04:43 AM, Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> It seems IPA has some sort of limit of searching it will only show
>>>>>> the first 2k
>>>>>> of user entries?
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Steven Jones
>>>>>>
>>>>>> Technical Specialist - Linux RHCE
>>>>>>
>>>>>> Victoria University, Wellington, NZ
>>>>>>
>>>>>> 0064 4 463 6272
>>>>>>
>>>>>> -------------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m.
>>>>>> *To:* Steven Jones
>>>>>> *Cc:* freeipa-users at redhat.com
>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>>
>>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have imported users, but there are 5700 of them but I only have
>>>>>>> 2000 which
>>>>>>> corresponds to the view that AD gives you by default.  This makes
>>>>>>> me think
>>>>>>> that that limit is all the AD is allowing the query to see?
>>>>>> You can use
>>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
>>>>>> what winsync sees when it searches.
>>>>>>> Is there a way to expand it?
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Steven Jones
>>>>>>>
>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>
>>>>>>> Victoria University, Wellington, NZ
>>>>>>>
>>>>>>> 0064 4 463 6272
>>>>>>>
>>>>>>> -------------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> *From:* freeipa-users-bounces at redhat.com
>>>>>>> [freeipa-users-bounces at redhat.com]
>>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m.
>>>>>>> *Cc:* freeipa-users at redhat.com
>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>>>
>>>>>>> I have hundreds of disable users in IPA now transferred from AD, is
>>>>>>> there a
>>>>>>> quick/clean way to purge them from IPA?
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Steven Jones
>>>>>>>
>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>
>>>>>>> Victoria University, Wellington, NZ
>>>>>>>
>>>>>>> 0064 4 463 6272
>>>>>>>
>>>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list