Well, I certainly don't understand what happened under the covers, but is
100% clear to me that the users got "deleted" in AD while "preserving" them
in IPA.
I could see an argument where "ipa user-del user --preserve" is technically
still a delete (semantics).

I might look at migrating to a trust in the future, but now this is a
caveat to live with.
I still might explore one-way sync in the meantime, see what that buys us.

On Thu, Jul 20, 2017 at 2:45 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Rob Brown wrote:
> > yeah, I did find the users in AD under:
> > CN=Deleted Objects,DC=foo,DC=domain,DC=com
> > and, the users actually have the attribute:
> > isDeleted = TRUE
> > so, looks like they were actually deleted (from AD perspective).
> > It seems like the delete sync is two-way (surprising, since create
> > isn't), and this is probably expected, and that IPA simply exposes the
> > deleted users via the GUI in "Preserved Users", whereas AD doesn't.
> > Still, this kinda took me by surprise, lesson learned. Seems I can
> > recover deleted accounts, but going to be a PITA.
> > Looking thru the docs, I don't see any options to disable deletes. It
> > would be nice to have an option similar to how ipaWinSyncAcctDisable
> > works, but for deletes, so we could set it to one-way.
> > I am wondering if setting the oneWaySync parameter on the
> > synchronization agreement to 'fromWindows' would do the trick. Not sure
> > I really want that, though, will have to think it thru.
>
> Re-adding list...
>
> The delete sync isn't two-way since the user wasn't deleted on the IPA
> side, just moved.
>
> The IPA team isn't devoting much, if any time, these days on winsync,
> instead focusing on AD trust. Given the complexity of trying to find an
> equivalent state in AD of kinda-deleted and implementing, test, etc I
> doubt this is something that will be addressed.
>
> Probably worth documenting as an undesirable side-effect though.
>
> rob
>
> >
> > On Thu, Jul 20, 2017 at 11:55 AM, Rob Crittenden <rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>> wrote:
> >
> >     Rob Brown via FreeIPA-users wrote:
> >     > Our company recently implemented freeipa to replace a cent5
> kerberos
> >     > infrastructure. We set it up with a Winsync agreement with an AD
> >     domain,
> >     > and is working pretty well.
> >     > Our user disposition workflow in AD is this: user account is
> disabled,
> >     > and moved to a "terminated users" OU in AD. The account disable
> >     sync was
> >     > working fine to IPA, but yesterday I decided to "clean up" the
> Active
> >     > Users list in IPA, by deleting (with --preserve) all the disabled
> >     > accounts (there were many). This looked fine from the IPA side: the
> >     > accounts got moved into the Preserved users area (in the gui).
> >     > However, much to my dismay I later discovered that all of the
> termed
> >     > accounts in AD are gone. WHAT!!!???
> >     > This is bad (for historical/compliance), and came as a shock to me,
> >     > because the docs say: "While modifications are bi-directional
> (going
> >     > both from Active Directory to IdM and from IdM to Active
> Directory),
> >     > creating or adding accounts are only uni-directional, from Active
> >     > Directory to Identity Management". So WHY ON EARTH would a delete
> be
> >     > bi-directional? I'm suspecting (hoping) that the accounts weren't
> >     > actually deleted, that they are just hidden somewhere in AD that I
> >     can't
> >     > see. PLEASE, if anyone can point me in the right direction here as
> to
> >     > what happened I would appreciate it.
> >
> >     As someone mentioned in IRC marking a user as preserved moves them
> from
> >     the user container to cn=deleted
> >     users,cn=accounts,cn=provisioning,$SUFFIX.
> >
> >     So perhaps AD honored the rename.
> >
> >     rob
> >
> >
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to