Well, I certainly don't understand what happened under the covers, but is 100% clear to me that the users got "deleted" in AD while "preserving" them in IPA. I could see an argument where "ipa user-del user --preserve" is technically still a delete (semantics).
I might look at migrating to a trust in the future, but now this is a caveat to live with. I still might explore one-way sync in the meantime, see what that buys us. On Thu, Jul 20, 2017 at 2:45 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Rob Brown wrote: > > yeah, I did find the users in AD under: > > CN=Deleted Objects,DC=foo,DC=domain,DC=com > > and, the users actually have the attribute: > > isDeleted = TRUE > > so, looks like they were actually deleted (from AD perspective). > > It seems like the delete sync is two-way (surprising, since create > > isn't), and this is probably expected, and that IPA simply exposes the > > deleted users via the GUI in "Preserved Users", whereas AD doesn't. > > Still, this kinda took me by surprise, lesson learned. Seems I can > > recover deleted accounts, but going to be a PITA. > > Looking thru the docs, I don't see any options to disable deletes. It > > would be nice to have an option similar to how ipaWinSyncAcctDisable > > works, but for deletes, so we could set it to one-way. > > I am wondering if setting the oneWaySync parameter on the > > synchronization agreement to 'fromWindows' would do the trick. Not sure > > I really want that, though, will have to think it thru. > > Re-adding list... > > The delete sync isn't two-way since the user wasn't deleted on the IPA > side, just moved. > > The IPA team isn't devoting much, if any time, these days on winsync, > instead focusing on AD trust. Given the complexity of trying to find an > equivalent state in AD of kinda-deleted and implementing, test, etc I > doubt this is something that will be addressed. > > Probably worth documenting as an undesirable side-effect though. > > rob > > > > > On Thu, Jul 20, 2017 at 11:55 AM, Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > Rob Brown via FreeIPA-users wrote: > > > Our company recently implemented freeipa to replace a cent5 > kerberos > > > infrastructure. We set it up with a Winsync agreement with an AD > > domain, > > > and is working pretty well. > > > Our user disposition workflow in AD is this: user account is > disabled, > > > and moved to a "terminated users" OU in AD. The account disable > > sync was > > > working fine to IPA, but yesterday I decided to "clean up" the > Active > > > Users list in IPA, by deleting (with --preserve) all the disabled > > > accounts (there were many). This looked fine from the IPA side: the > > > accounts got moved into the Preserved users area (in the gui). > > > However, much to my dismay I later discovered that all of the > termed > > > accounts in AD are gone. WHAT!!!??? > > > This is bad (for historical/compliance), and came as a shock to me, > > > because the docs say: "While modifications are bi-directional > (going > > > both from Active Directory to IdM and from IdM to Active > Directory), > > > creating or adding accounts are only uni-directional, from Active > > > Directory to Identity Management". So WHY ON EARTH would a delete > be > > > bi-directional? I'm suspecting (hoping) that the accounts weren't > > > actually deleted, that they are just hidden somewhere in AD that I > > can't > > > see. PLEASE, if anyone can point me in the right direction here as > to > > > what happened I would appreciate it. > > > > As someone mentioned in IRC marking a user as preserved moves them > from > > the user container to cn=deleted > > users,cn=accounts,cn=provisioning,$SUFFIX. > > > > So perhaps AD honored the rename. > > > > rob > > > > > >
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org