uh....I just deleted the ad user templates but it puts them back, also the 
disabled users are in a sub-container and when I delete them in IPA they 
re-appear a few minutes later..

:(




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Friday, 21 September 2012 8:56 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 04:54 PM, Dmitri Pal wrote:
On 09/20/2012 04:43 PM, Steven Jones wrote:
Some comments on the win sync agreement syntax.

Hi,

I'd like that command ipa-replica-manage connect  "improved" if possible,

1) A flag on --win-subtree not to include sub-directories under the specified 
OU= as I think it is why Ive picked up lots of disabled users and templates. 
Also the capability to specify more than one OU as I at least have 2 OU= with 
users in (maybe it can do that I just dont see it)

2) A flag something like --exclude='LDAP criteria/attribute'=disabled such that 
any disabled users in AD are not transferred, I just transferred 7 years of 
ex-users and 200+ templates I would rather not have....now I think I have a 
huge cleanup task.  Not just exclude, say location, so if I only want to sync 
users in one city (say) --include-only="LDAP Location'=Wellington

Not sure if these are hugely useful but they would have helped me.

Thank you for the feedback.
Would you mind filing BZs or trac tickets?

NM. Rich bit me.






regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz<mailto:steven.jo...@vuw.ac.nz>]
Sent: Thursday, 20 September 2012 2:48 p.m.
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

it isnt,

Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except 
Im also getting some "rubbish" so its looking like the import script/query to 
AD isnt right.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz<mailto:steven.jo...@vuw.ac.nz>]
Sent: Thursday, 20 September 2012 12:15 p.m.
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are 
the same thing?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>]
Sent: Thursday, 20 September 2012 11:03 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/19/2012 04:55 PM, Steven Jones wrote:
Hi,


Sample of errors log,

=========
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f7000000110000
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: 
successfully inserted csn 504d01f8000000110000 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information 
from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to 
CSN 504d42c5000000040000
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f8000000110000
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: 
stop_fatal_error -> stop_fatal_error
=========

Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?





regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>]
Sent: Wednesday, 19 September 2012 12:32 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 07:10 PM, Steven Jones wrote:
Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc




This I dont understand....

I have the -v already, anyway to make it very verbose?

http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level  8192
I'd like to see the directory server errors log 
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the 
--win-subtree cn=VUW_Staff,dc= etc



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>]
Sent: Tuesday, 18 September 2012 12:47 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:
Hi,

The first time missed the --win-subtree settings so I wiped the admins in the 
IPA admin group and users as they were not in cn=users as per the bug.  The 
second time as far as I can tell I specified the correct cn via win-subtree 
flag but I still appear to have lost the users in IPA.....now I expected to 
lose the admins but the loss of users as well confounds me.

I did a ldapsearch as per checking and its seems to be saying the right 
folder/ou/cn but IPA is empty.

Hence I was wondering if there was a log recording what the update was doing so 
I could try and figure out the mistake.  Ive tried greping cant find any 
indication.

I will re-try with -v, verbose.

It is not clear from the manuals, but no matter what -win-subtree you specify, 
winsync will search AD starting from the dc=domain suffix.  So, for example, if 
you have
cn=mystaff,cn=staff,dc=example,dc=com
and you specify
--win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"
winsync will still search starting from dc=example,dc=com and will hit 
ticket/355<https://fedorahosted.org/389/ticket/355> if there are any users 
outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as 
a user in IPA.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>]
Sent: Tuesday, 18 September 2012 11:37 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 04:17 PM, Steven Jones wrote:
Hi,

I just tried to do a winsync agreement with specifying the AD point as 
cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz  as my users are not in the 
users folder but the VUW_Staff folder (at the same level) and it wiped all IPA 
users that are also in AD.

Yes, this is what happens with https://fedorahosted.org/389/ticket/355
#355     winsync should not delete entry that appears to be out of scope

While doing the actual update does this get verbosly logged anywhere as opposed 
to "update in progress" dumped to the screen?  Something went badly wrong, I 
just dont know what.

You are seeing something different than #355?


:/


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users







_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>






_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to