[Freeipa-users] winsync agreement wipes IPA users

Steven Jones Steven.Jones at vuw.ac.nz
Fri Sep 28 03:56:02 UTC 2012 

Hi,

Once we get bug #533 fixed then I'll know if it will bring all users it isnt at present but I odnt know if its bug #533 or AD still.  

Our AD specialist is not very bothered about it and has advised our management that he thinks its no biggee...however other organisations might not be so happy.

Part of the problem is finding what value to set but we have the ldapsearch xxxxxxxxxx | wc -l 

to give us an idea...

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rich Megginson [rmeggins at redhat.com]
Sent: Friday, 28 September 2012 8:41 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/27/2012 02:38 PM, Steven Jones wrote:
> Its also a forest wide setting....

Just to confirm - setting MaxPageSize higher allows winsync to pull
every user, but this is an unacceptable solution because it applies to
the entire tree rather than a subset and/or a particular user?

>
> :/
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Thursday, 27 September 2012 3:57 p.m.
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> Hi,
>
> Unable to get this to work on win2k3r2 even with enterprise admin permissions.
>
> What I have found is this which Im about to try,
>
> 1. Use adsiedit.msc to bind to any domain controller.
> 2. Navigate through
> Configuration
> CN=Configuration,DC=<DomainName>,DC=COM
> CN=Services
> CN=Windows NT
> CN=Directory Services
> CN=Query-Policies
> 3. Double-click CN=Default Query Policy in the rght-hand pane.
> 4. Double-click LdapAdminLimits.
> 5. Select MaxPageSize and press Remove.
> 6. Modify the limit of MaxPageSize and press Add.
> 7. Press OK, Apply, and OK.
> 8. Close ADSI Edit.
> 9. After replication, the new limit should be available.
>
> adsiedit is part of the ms support tools here,
>
> http://www.microsoft.com/en-us/download/confirmation.aspx?id=7911
>
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Natxo Asenjo [natxo.asenjo at gmail.com]
> Sent: Thursday, 27 September 2012 2:04 a.m.
> To: Rob Crittenden
> Cc: Steven Jones; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden<rcritten at redhat.com>  wrote:
>> Steven Jones wrote:
>>> Hi,
>>>
>>> I dont have a ldapmodify command for changing something in AD.
>>>
>>> I have increased the only scope I/we know about which is the return of objects from a search inside the AD gui but that might be specific to that view tool.  That is 2000 by default, Ive set 40000, I am testing it now, if that doesn't work....
>>>
>>> Our best AD person is currently researching to see if its even possible to alter that hard code in AD.  The only way he can see is using a  windows/ad specific command line command to modify the internals of AD but he's never seen or read about doing it for this attribute.
>>
> sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits
> attribute of the Default Query Policy object in the Query-Policies
> container. We needed to do this to be able to get more than 1000
> objects from AD a long time ago.
>
> The details I used back then were here:
>
> http://technet.microsoft.com/en-us/library/aa998536.aspx
>
>
> cmd.exe ->  ntdsutil.exe (on a domain controller)
>
> At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.
>
> show values [enter]
> ldap policy: show values
>
> Policy  Current(New)
> MaxPoolThreads  4
> MaxDatagramRecv         4096
> MaxReceiveBuffer        10485760
> InitRecvTimeout         120
> MaxConnections  5000
> MaxConnIdleTime         900
> MaxPageSize     1000
> MaxQueryDuration        120
> MaxTempTableSize        10000
> MaxResultSetSize        262144
> MaxNotificationPerConn  5
> MaxValRange     1500
>
> We want to change MaxPageSize.
>
> First we need to authenticate:
> connections [enter]
> set creds domain user pwd
> connect to domain your.domain
> q
>
> then we got to ldap policy
>
> set MaxPageSize to 2000
> Commit Changes
> quit
> quit
>
> --
> natxo
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list