[Freeipa-users] winsync agreement wipes IPA users

[Rich Megginson]

On 09/25/2012 03:34 PM, Steven Jones wrote:
> Hi,
>
> I have set the filter size as 20000 for the user and it makes no difference.
Where did you set this?  In IPA?  In AD?  If so, where? How?
What does "filter size" mean?  To me, it means "the size of an LDAP 
search filter in an LDAP search request" not "the maximum number of 
entries returned by a search".
>
> So unless its somewhere else configurable it cant be easily done.
>
> via adsi edit? and if so what is the value called?
I would like to know the answers to these questions, but I do not.
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Wednesday, 26 September 2012 7:39 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On 09/24/2012 11:49 PM, Steven Jones wrote:
>> Hi,
>>
>> Im confused here, has no one tried to winsync 2000+ users before?
>>
>> Are there any docs on working around this limit?
>>
>> Ive up'd the user to 20000 but that seems to have had no effect....my AD ppl dont know of any other way to increase that at present.
> According to our gurus:
>
> The limit is in AD, which has a sizelimit of 2000 by default.  There are
> two ways around this:
> 1) Go into AD and set the sizelimit for the sync user to be greater than
> the number of entries.
> 2) Have DS winsync use simple paged results - this is a code change on
> our side and we are tracking it for one of the upcoming releases
> https://fedorahosted.org/389/ticket/472
>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Tuesday, 25 September 2012 3:17 p.m.
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>>
>> Hi,
>>
>> I am trying to run this and getting search exceeded.
>>
>> ldapsearch -xLLL -D<winsync_binddn>  -w<passwd>  -h<AD_host>  -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn>  ad.dns.txt
>>
>> Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer.
>>
>> :(
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rich Megginson [rmeggins at redhat.com]
>> Sent: Saturday, 22 September 2012 3:46 a.m.
>> To: dpal at redhat.com
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>>
>> On 09/21/2012 09:18 AM, Dmitri Pal wrote:
>>> On 09/21/2012 11:07 AM, Rich Megginson wrote:
>>>> On 09/21/2012 09:04 AM, Dmitri Pal wrote:
>>>>> On 09/21/2012 09:23 AM, Rich Megginson wrote:
>>>>>> On 09/21/2012 05:21 AM, Martin Kosek wrote:
>>>>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your
>>>>>>> case
>>>>>>> nsslapd-sizelimit. This can be increased either globally or (this
>>>>>>> seems as a
>>>>>>> more secure solution) for a user you bind as:
>>>>>>>
>>>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
>>>>>>>
>>>>>>>
>>>>>> Steven, are you saying that winsync only pulled over 2000 out of 5700
>>>>>> users from AD into IPA? If so, then that's a limit on the winsync user
>>>>>> that must be increased in AD.
>>>>>>
>>>>> Rich, it seems that it might make sense to file an RFE for the winsync
>>>>> to support paging control.
>>>> AD supports the paging control?  And this allows you to get around the
>>>> search limit?
>>>>
>>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
>>> The default usually 2K BTW.
>> https://fedorahosted.org/389/ticket/472
>>>>>>> Martin
>>>>>>>
>>>>>>> On 09/21/2012 04:43 AM, Steven Jones wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> It seems IPA has some sort of limit of searching it will only show
>>>>>>>> the first 2k
>>>>>>>> of user entries?
>>>>>>>>
>>>>>>>> regards
>>>>>>>>
>>>>>>>> Steven Jones
>>>>>>>>
>>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>>
>>>>>>>> Victoria University, Wellington, NZ
>>>>>>>>
>>>>>>>> 0064 4 463 6272
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m.
>>>>>>>> *To:* Steven Jones
>>>>>>>> *Cc:* freeipa-users at redhat.com
>>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>>>>
>>>>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I have imported users, but there are 5700 of them but I only have
>>>>>>>>> 2000 which
>>>>>>>>> corresponds to the view that AD gives you by default.  This makes
>>>>>>>>> me think
>>>>>>>>> that that limit is all the AD is allowing the query to see?
>>>>>>>> You can use
>>>>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
>>>>>>>> what winsync sees when it searches.
>>>>>>>>> Is there a way to expand it?
>>>>>>>>>
>>>>>>>>> regards
>>>>>>>>>
>>>>>>>>> Steven Jones
>>>>>>>>>
>>>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>>>
>>>>>>>>> Victoria University, Wellington, NZ
>>>>>>>>>
>>>>>>>>> 0064 4 463 6272
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *From:* freeipa-users-bounces at redhat.com
>>>>>>>>> [freeipa-users-bounces at redhat.com]
>>>>>>>>> on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m.
>>>>>>>>> *Cc:* freeipa-users at redhat.com
>>>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>>>>>
>>>>>>>>> I have hundreds of disable users in IPA now transferred from AD, is
>>>>>>>>> there a
>>>>>>>>> quick/clean way to purge them from IPA?
>>>>>>>>>
>>>>>>>>> regards
>>>>>>>>>
>>>>>>>>> Steven Jones
>>>>>>>>>
>>>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>>>
>>>>>>>>> Victoria University, Wellington, NZ
>>>>>>>>>
>>>>>>>>> 0064 4 463 6272
>>>>>>>>>
>>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Freeipa-users mailing list
>>>>>>> Freeipa-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users