[Freeipa-users] winsync agreement wipes IPA users

Thu Sep 20 20:54:48 UTC 2012

On 09/20/2012 04:43 PM, Steven Jones wrote:
> Some comments on the win sync agreement syntax.
>
> Hi,
>
> I'd like that command ipa-replica-manage connect  "improved" if possible,
>
> 1) A flag on --win-subtree not to include sub-directories under the
> specified OU= as I think it is why Ive picked up lots of disabled
> users and templates. Also the capability to specify more than one OU
> as I at least have 2 OU= with users in (maybe it can do that I just
> dont see it)
>
> 2) A flag something like --exclude='LDAP criteria/attribute'=disabled
> such that any disabled users in AD are not transferred, I just
> transferred 7 years of ex-users and 200+ templates I would rather not
> have....now I think I have a huge cleanup task.  Not just exclude, say
> location, so if I only want to sync users in one city (say)
> --include-only="LDAP Location'=Wellington
>
> Not sure if these are hugely useful but they would have helped me.

Thank you for the feedback.
Would you mind filing BZs or trac tickets?

>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------
> *From:* freeipa-users-bounces at redhat.com
> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones
> [Steven.Jones at vuw.ac.nz]
> *Sent:* Thursday, 20 September 2012 2:48 p.m.
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>
> it isnt,
>
> Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working
> except Im also getting some "rubbish" so its looking like the import
> script/query to AD isnt right.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------
> *From:* freeipa-users-bounces at redhat.com
> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones
> [Steven.Jones at vuw.ac.nz]
> *Sent:* Thursday, 20 September 2012 12:15 p.m.
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>
> Hi,
>
> I have -win-subtree cn= etc I take it that cn= is fine and that ou=
> and cn= are the same thing?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Thursday, 20 September 2012 11:03 a.m.
> *To:* Steven Jones
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On 09/19/2012 04:55 PM, Steven Jones wrote:
>> Hi,
>>
>>
>> Sample of errors log,
>>
>> =========
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
>> database
>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
>> database
>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv:
>> successfully committed csn 504d01f7000000110000
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389):
>> State: stop_fatal_error -> stop_fatal_error
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389):
>> State: stop_fatal_error -> stop_fatal_error
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
>> ruv_add_csn_inprogress: successfully inserted csn
>> 504d01f8000000110000 into pending list
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state
>> information from entry
>> uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN
>> 504d42c5000000040000
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
>> database
>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
>> database
>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv:
>> successfully committed csn 504d01f8000000110000
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389):
>> State: stop_fatal_error -> stop_fatal_error
>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389):
>> State: stop_fatal_error -> stop_fatal_error
>> =========
>
> Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?
>
>>
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ------------------------------------------------------------------------
>> *From:* Rich Megginson [rmeggins at redhat.com]
>> *Sent:* Wednesday, 19 September 2012 12:32 a.m.
>> *To:* Steven Jones
>> *Cc:* freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>
>> On 09/17/2012 07:10 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> I understand that I'll lose users that are cn=Staff_Admins,dc=etc
>>>
>>> So the Q is why I am losing users in the --win-subtree
>>> cn=VUW_Staff,dc= etc
>>
>>
>>
>>>
>>> This I dont understand....
>>>
>>> I have the -v already, anyway to make it very verbose?
>>
>> http://port389.org/wiki/FAQ#Troubleshooting
>> Use the replication log level  8192
>> I'd like to see the directory server errors log
>> /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries
>> under the --win-subtree cn=VUW_Staff,dc= etc
>>
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>> *Sent:* Tuesday, 18 September 2012 12:47 p.m.
>>> *To:* Steven Jones
>>> *Cc:* freeipa-users at redhat.com
>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>
>>> On 09/17/2012 06:17 PM, Steven Jones wrote:
>>>> Hi,
>>>>
>>>> The first time missed the --win-subtree settings so I wiped the
>>>> admins in the IPA admin group and users as they were not in
>>>> cn=users as per the bug.  The second time as far as I can tell I
>>>> specified the correct cn via win-subtree flag but I still appear to
>>>> have lost the users in IPA.....now I expected to lose the admins
>>>> but the loss of users as well confounds me.
>>>>
>>>> I did a ldapsearch as per checking and its seems to be saying the
>>>> right folder/ou/cn but IPA is empty.
>>>>
>>>> Hence I was wondering if there was a log recording what the update
>>>> was doing so I could try and figure out the mistake.  Ive tried
>>>> greping cant find any indication.
>>>>
>>>> I will re-try with -v, verbose.
>>>
>>> It is not clear from the manuals, but no matter what -win-subtree
>>> you specify, winsync will search AD starting from the dc=domain
>>> suffix.  So, for example, if you have
>>> cn=mystaff,cn=staff,dc=example,dc=com
>>> and you specify
>>> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"
>>> winsync will still search starting from dc=example,dc=com and will
>>> hit ticket/355 if there are any users outside of
>>> cn=mystaff,cn=staff,dc=example,dc=com that have the same username as
>>> a user in IPA.
>>>
>>>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>> 0064 4 463 6272
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>> *Sent:* Tuesday, 18 September 2012 11:37 a.m.
>>>> *To:* Steven Jones
>>>> *Cc:* freeipa-users at redhat.com
>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>
>>>> On 09/17/2012 04:17 PM, Steven Jones wrote:
>>>>> Hi,
>>>>>
>>>>> I just tried to do a winsync agreement with specifying the AD
>>>>> point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz  as my
>>>>> users are not in the users folder but the VUW_Staff folder (at the
>>>>> same level) and it wiped all IPA users that are also in AD.
>>>>
>>>> Yes, this is what happens with https://fedorahosted.org/389/ticket/355
>>>> #355     winsync should not delete entry that appears to be out of
>>>> scope
>>>>
>>>>> While doing the actual update does this get verbosly logged
>>>>> anywhere as opposed to "update in progress" dumped to the screen? 
>>>>> Something went badly wrong, I just dont know what.
>>>>
>>>> You are seeing something different than #355?
>>>>
>>>>>
>>>>> :/
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120920/fdc76bb6/attachment.htm>