On 09/13/2012 08:10 PM, Steven Jones wrote:
> Are there corresponding users in IPA where the IPA uid is the same as
> the AD samaccountname of a user in the admin subtree?
> I think the answer to that is yes.
> "admin-steven" in IPA also exists in AD as "admin-steven". So if I had set
> the two to different names the one in IPA would not have been wiped in IPA.
So now that we understand the crux of the problem, Steven can you advise
us on what we should have said and where (in docs or somewhere else)
about this logic.
Keep in mind that winsync is based on DS sync and we did not have this
problem in DS in the past.
With IPA we have a flat tree but same problem can be faced in pure 389 DS.
I hope you realize that we did not do it on purpose. We definitely did
not realize that anyone would be manually creating users with the same
names. From the point of the sync algorithm it made sense to do what we
have implemented as it seemed logical. JR faced this issue and filed a
bug. We agreed with it but we still thought that it is a fairly corner
case, this is why we did not file an errata or anything like.
However this is not the point. Back to my question. How could we
prevented this problem for you to make an informed decision and not do
what you have done? Also realistically do you think it should be an
errata? Doing an errata comes with a cost and the cost will be the
features and bug fixes from the later version. Sometimes the errata is
absolutely necessary but is it necessary now?
> Steven Jones
> Technical Specialist - Linux RHCE
> Victoria University, Wellington, NZ
> 0064 4 463 6272
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list