Rob Brown wrote:
> yeah, I did find the users in AD under:
> CN=Deleted Objects,DC=foo,DC=domain,DC=com
> and, the users actually have the attribute:
> isDeleted = TRUE
> so, looks like they were actually deleted (from AD perspective).
> It seems like the delete sync is two-way (surprising, since create
> isn't), and this is probably expected, and that IPA simply exposes the
> deleted users via the GUI in "Preserved Users", whereas AD doesn't.
> Still, this kinda took me by surprise, lesson learned. Seems I can
> recover deleted accounts, but going to be a PITA.
> Looking thru the docs, I don't see any options to disable deletes. It
> would be nice to have an option similar to how ipaWinSyncAcctDisable
> works, but for deletes, so we could set it to one-way.
> I am wondering if setting the oneWaySync parameter on the
> synchronization agreement to 'fromWindows' would do the trick. Not sure
> I really want that, though, will have to think it thru.

Re-adding list...

The delete sync isn't two-way since the user wasn't deleted on the IPA
side, just moved.

The IPA team isn't devoting much, if any time, these days on winsync,
instead focusing on AD trust. Given the complexity of trying to find an
equivalent state in AD of kinda-deleted and implementing, test, etc I
doubt this is something that will be addressed.

Probably worth documenting as an undesirable side-effect though.


> On Thu, Jul 20, 2017 at 11:55 AM, Rob Crittenden <
> <>> wrote:
>     Rob Brown via FreeIPA-users wrote:
>     > Our company recently implemented freeipa to replace a cent5 kerberos
>     > infrastructure. We set it up with a Winsync agreement with an AD
>     domain,
>     > and is working pretty well.
>     > Our user disposition workflow in AD is this: user account is disabled,
>     > and moved to a "terminated users" OU in AD. The account disable
>     sync was
>     > working fine to IPA, but yesterday I decided to "clean up" the Active
>     > Users list in IPA, by deleting (with --preserve) all the disabled
>     > accounts (there were many). This looked fine from the IPA side: the
>     > accounts got moved into the Preserved users area (in the gui).
>     > However, much to my dismay I later discovered that all of the termed
>     > accounts in AD are gone. WHAT!!!???
>     > This is bad (for historical/compliance), and came as a shock to me,
>     > because the docs say: "While modifications are bi-directional (going
>     > both from Active Directory to IdM and from IdM to Active Directory),
>     > creating or adding accounts are only uni-directional, from Active
>     > Directory to Identity Management". So WHY ON EARTH would a delete be
>     > bi-directional? I'm suspecting (hoping) that the accounts weren't
>     > actually deleted, that they are just hidden somewhere in AD that I
>     can't
>     > see. PLEASE, if anyone can point me in the right direction here as to
>     > what happened I would appreciate it.
>     As someone mentioned in IRC marking a user as preserved moves them from
>     the user container to cn=deleted
>     users,cn=accounts,cn=provisioning,$SUFFIX.
>     So perhaps AD honored the rename.
>     rob
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to