[Freeipa-users] winsync agreement wipes IPA users
Rich Megginson
rmeggins at redhat.com
Thu Sep 27 20:41:22 UTC 2012
On 09/27/2012 02:38 PM, Steven Jones wrote:
> Its also a forest wide setting....
Just to confirm - setting MaxPageSize higher allows winsync to pull
every user, but this is an unacceptable solution because it applies to
the entire tree rather than a subset and/or a particular user?
>
> :/
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Thursday, 27 September 2012 3:57 p.m.
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> Hi,
>
> Unable to get this to work on win2k3r2 even with enterprise admin permissions.
>
> What I have found is this which Im about to try,
>
> 1. Use adsiedit.msc to bind to any domain controller.
> 2. Navigate through
> Configuration
> CN=Configuration,DC=<DomainName>,DC=COM
> CN=Services
> CN=Windows NT
> CN=Directory Services
> CN=Query-Policies
> 3. Double-click CN=Default Query Policy in the rght-hand pane.
> 4. Double-click LdapAdminLimits.
> 5. Select MaxPageSize and press Remove.
> 6. Modify the limit of MaxPageSize and press Add.
> 7. Press OK, Apply, and OK.
> 8. Close ADSI Edit.
> 9. After replication, the new limit should be available.
>
> adsiedit is part of the ms support tools here,
>
> http://www.microsoft.com/en-us/download/confirmation.aspx?id=7911
>
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Natxo Asenjo [natxo.asenjo at gmail.com]
> Sent: Thursday, 27 September 2012 2:04 a.m.
> To: Rob Crittenden
> Cc: Steven Jones; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden<rcritten at redhat.com> wrote:
>> Steven Jones wrote:
>>> Hi,
>>>
>>> I dont have a ldapmodify command for changing something in AD.
>>>
>>> I have increased the only scope I/we know about which is the return of objects from a search inside the AD gui but that might be specific to that view tool. That is 2000 by default, Ive set 40000, I am testing it now, if that doesn't work....
>>>
>>> Our best AD person is currently researching to see if its even possible to alter that hard code in AD. The only way he can see is using a windows/ad specific command line command to modify the internals of AD but he's never seen or read about doing it for this attribute.
>>
> sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits
> attribute of the Default Query Policy object in the Query-Policies
> container. We needed to do this to be able to get more than 1000
> objects from AD a long time ago.
>
> The details I used back then were here:
>
> http://technet.microsoft.com/en-us/library/aa998536.aspx
>
>
> cmd.exe -> ntdsutil.exe (on a domain controller)
>
> At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.
>
> show values [enter]
> ldap policy: show values
>
> Policy Current(New)
> MaxPoolThreads 4
> MaxDatagramRecv 4096
> MaxReceiveBuffer 10485760
> InitRecvTimeout 120
> MaxConnections 5000
> MaxConnIdleTime 900
> MaxPageSize 1000
> MaxQueryDuration 120
> MaxTempTableSize 10000
> MaxResultSetSize 262144
> MaxNotificationPerConn 5
> MaxValRange 1500
>
> We want to change MaxPageSize.
>
> First we need to authenticate:
> connections [enter]
> set creds domain user pwd
> connect to domain your.domain
> q
>
> then we got to ldap policy
>
> set MaxPageSize to 2000
> Commit Changes
> quit
> quit
>
> --
> natxo
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list