On 09/20/2012 04:43 PM, Steven Jones wrote: > Some comments on the win sync agreement syntax. > > Hi, > > I'd like that command ipa-replica-manage connect "improved" if possible, > > 1) A flag on --win-subtree not to include sub-directories under the > specified OU= as I think it is why Ive picked up lots of disabled > users and templates. Also the capability to specify more than one OU > as I at least have 2 OU= with users in (maybe it can do that I just > dont see it) > > 2) A flag something like --exclude='LDAP criteria/attribute'=disabled > such that any disabled users in AD are not transferred, I just > transferred 7 years of ex-users and 200+ templates I would rather not > have....now I think I have a huge cleanup task. Not just exclude, say > location, so if I only want to sync users in one city (say) > --include-only="LDAP Location'=Wellington > > Not sure if these are hugely useful but they would have helped me.
Thank you for the feedback. Would you mind filing BZs or trac tickets? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-boun...@redhat.com > [freeipa-users-boun...@redhat.com] on behalf of Steven Jones > [steven.jo...@vuw.ac.nz] > *Sent:* Thursday, 20 September 2012 2:48 p.m. > *Cc:* freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > it isnt, > > Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working > except Im also getting some "rubbish" so its looking like the import > script/query to AD isnt right. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-boun...@redhat.com > [freeipa-users-boun...@redhat.com] on behalf of Steven Jones > [steven.jo...@vuw.ac.nz] > *Sent:* Thursday, 20 September 2012 12:15 p.m. > *Cc:* freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > Hi, > > I have -win-subtree cn= etc I take it that cn= is fine and that ou= > and cn= are the same thing? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* Rich Megginson [rmegg...@redhat.com] > *Sent:* Thursday, 20 September 2012 11:03 a.m. > *To:* Steven Jones > *Cc:* freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/19/2012 04:55 PM, Steven Jones wrote: >> Hi, >> >> >> Sample of errors log, >> >> ========= >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: >> successfully committed csn 504d01f7000000110000 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >> State: stop_fatal_error -> stop_fatal_error >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >> State: stop_fatal_error -> stop_fatal_error >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> ruv_add_csn_inprogress: successfully inserted csn >> 504d01f8000000110000 into pending list >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state >> information from entry >> uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN >> 504d42c5000000040000 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog >> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for >> database >> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: >> successfully committed csn 504d01f8000000110000 >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): >> State: stop_fatal_error -> stop_fatal_error >> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - >> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): >> State: stop_fatal_error -> stop_fatal_error >> ========= > > Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement? > >> >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson [rmegg...@redhat.com] >> *Sent:* Wednesday, 19 September 2012 12:32 a.m. >> *To:* Steven Jones >> *Cc:* freeipa-users@redhat.com >> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >> >> On 09/17/2012 07:10 PM, Steven Jones wrote: >>> Hi, >>> >>> I understand that I'll lose users that are cn=Staff_Admins,dc=etc >>> >>> So the Q is why I am losing users in the --win-subtree >>> cn=VUW_Staff,dc= etc >> >> >> >>> >>> This I dont understand.... >>> >>> I have the -v already, anyway to make it very verbose? >> >> http://port389.org/wiki/FAQ#Troubleshooting >> Use the replication log level 8192 >> I'd like to see the directory server errors log >> /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries >> under the --win-subtree cn=VUW_Staff,dc= etc >> >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ------------------------------------------------------------------------ >>> *From:* Rich Megginson [rmegg...@redhat.com] >>> *Sent:* Tuesday, 18 September 2012 12:47 p.m. >>> *To:* Steven Jones >>> *Cc:* freeipa-users@redhat.com >>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>> >>> On 09/17/2012 06:17 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> The first time missed the --win-subtree settings so I wiped the >>>> admins in the IPA admin group and users as they were not in >>>> cn=users as per the bug. The second time as far as I can tell I >>>> specified the correct cn via win-subtree flag but I still appear to >>>> have lost the users in IPA.....now I expected to lose the admins >>>> but the loss of users as well confounds me. >>>> >>>> I did a ldapsearch as per checking and its seems to be saying the >>>> right folder/ou/cn but IPA is empty. >>>> >>>> Hence I was wondering if there was a log recording what the update >>>> was doing so I could try and figure out the mistake. Ive tried >>>> greping cant find any indication. >>>> >>>> I will re-try with -v, verbose. >>> >>> It is not clear from the manuals, but no matter what -win-subtree >>> you specify, winsync will search AD starting from the dc=domain >>> suffix. So, for example, if you have >>> cn=mystaff,cn=staff,dc=example,dc=com >>> and you specify >>> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com" >>> winsync will still search starting from dc=example,dc=com and will >>> hit ticket/355 if there are any users outside of >>> cn=mystaff,cn=staff,dc=example,dc=com that have the same username as >>> a user in IPA. >>> >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Rich Megginson [rmegg...@redhat.com] >>>> *Sent:* Tuesday, 18 September 2012 11:37 a.m. >>>> *To:* Steven Jones >>>> *Cc:* freeipa-users@redhat.com >>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>> >>>> On 09/17/2012 04:17 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> I just tried to do a winsync agreement with specifying the AD >>>>> point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my >>>>> users are not in the users folder but the VUW_Staff folder (at the >>>>> same level) and it wiped all IPA users that are also in AD. >>>> >>>> Yes, this is what happens with https://fedorahosted.org/389/ticket/355 >>>> #355 winsync should not delete entry that appears to be out of >>>> scope >>>> >>>>> While doing the actual update does this get verbosly logged >>>>> anywhere as opposed to "update in progress" dumped to the screen? >>>>> Something went badly wrong, I just dont know what. >>>> >>>> You are seeing something different than #355? >>>> >>>>> >>>>> :/ >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >> > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users