On 09/13/2012 05:53 PM, Steven Jones wrote:
=======
"Please explain "std AD"."
=======
under 8.4.2 page 178 the option listed as,
--win-subtree says the default is cn=Users,$SUFFIX.
Which I am told is "standard" AD layout.
Yes. That is the default AD user container.
I assume the $SUFFIX is staff.vuw.ac.nz in my case with IPA as ods.vuw.ac.nz.
So I want to map cn=staff,dc=staff,dc=vuw,dc=ac,dc=nz to
cn=users??,dc=ods,dc=vuw,dc=ac,dc=nz.
I think it's cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz in IPA
at least I think so.
So I take it I should set, --win-subtree cn=staff,$SUFFIX in the command line
to make an agreement?
Yes.
So for the IPA admin group I dont want to sync the admins, they are not in
cn=staff but in cn=staff_admins I want them not to sync but I also dont want
them wiped out.
Are there corresponding users in IPA where the IPA uid is the same as
the AD samaccountname of a user in the admin subtree?
Users are simply a user say steven with no privileges. An admin is admin-steven
with more permissions so I have 2 logins and 2 passwords depending on the work,
its our security policy.
==========
"But why do you have users with the same userid in AD out of the scope of
the sync agreement with the same userid as an IPA user?"
==========
Probably because I dont have enough knowledge of IPA and even less of AD.
What I mean is this - for example, you have
cn=steven jones,cn=staff,$SUFFIX with samaccountname sjones
cn=admin-steven,cn=staff,$SUFFIX with samaccountname admin-steven
in AD and
uid=sjones,cn=staff,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz
uid=admin-steven,cn=staff-admin,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz
So in the IPA user container, you have both users that you want to sync
(in the windows subtree scope cn=staff,$SUFFIX), and users that you
don't want to sync (in
cn=staff-admin,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz)?
If so, what you are seeing is that in IPA, uid=admin-steven is deleted,
but not uid=sjones.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, 14 September 2012 11:15 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement
On 09/13/2012 05:11 PM, Steven Jones wrote:
Hi,
So I have 6.3 and just lost all my IPA users.
In production or in a test environment?
So anyone on 6.2/6.3 until they upgrade after December's 6.4 could lose all
their IPA users if they do a winsync agreement and dont twig to that option
being essential if they dont have a std AD.
Please explain "std AD".
Not only that my admins are in a separate OU, so even if I had done a
--win-subtree=cn=staff_users admins being elsewhere would have gone bye bye
anyway.
Let's say you have in AD
cn=Users,dc=example,dc=com
cn=Adminusers,dc=example,dc=com
and in IPA
cn=users,cn=accounts,dc=example,dc=com
and you set up your winsync agreement as
nsds7WindowsReplicaSubtree: cn=Users,dc=example,dc=com
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com
That is, you want users in cn=Users,dc=example,dc=com to be in sync with
cn=users,cn=accounts,dc=example,dc=com
IPA uses a flat dit - users are grouped not by hierarchy but by
attributes, as opposed to AD which uses hierarchies for grouping. So
IPA "flattens" hierarchies when it syncs users from AD to DS.
Let's say you have
cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith
and
uid=jsmith,cn=Users,dc=example,dc=com
because of the way that winsync works, it will think because the AD
entry and the IPA have the same userid, they should be in sync - but
because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope
of cn=Users,dc=example,dc=com winsync will think that the user has moved
outside the scope of the agreement, and will delete the user. Obviously
it should not do that by default, hence
https://fedorahosted.org/389/ticket/355
But why do you have users with the same userid in AD out of the scope of
the sync agreement with the same userid as an IPA user?
Luckily I hadnt disabled the admin account yet.....it was the only one left.
I guess this stuff is a lot more complex than it looks.
:/
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
8><-----
will be fixed in RHEL 6.4 - not sure what you mean by "RHEL6 production
tree"
8><----
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
