On 09/24/2012 11:49 PM, Steven Jones wrote:
> Hi,
>
> Im confused here, has no one tried to winsync 2000+ users before?  
>
> Are there any docs on working around this limit?   
>
> Ive up'd the user to 20000 but that seems to have had no effect....my AD ppl 
> dont know of any other way to increase that at present.

According to our gurus:

The limit is in AD, which has a sizelimit of 2000 by default.  There are
two ways around this:
1) Go into AD and set the sizelimit for the sync user to be greater than
the number of entries.
2) Have DS winsync use simple paged results - this is a code change on
our side and we are tracking it for one of the upcoming releases
https://fedorahosted.org/389/ticket/472

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Steven Jones [steven.jo...@vuw.ac.nz]
> Sent: Tuesday, 25 September 2012 3:17 p.m.
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> Hi,
>
> I am trying to run this and getting search exceeded.
>
> ldapsearch -xLLL -D <winsync_binddn> -w <passwd> -h <AD_host> -s sub -b 
> OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn > ad.dns.txt
>
> Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they 
> also lose their IPA groups which is a bit of a bummer.
>
> :(
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Rich Megginson [rmegg...@redhat.com]
> Sent: Saturday, 22 September 2012 3:46 a.m.
> To: d...@redhat.com
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On 09/21/2012 09:18 AM, Dmitri Pal wrote:
>> On 09/21/2012 11:07 AM, Rich Megginson wrote:
>>> On 09/21/2012 09:04 AM, Dmitri Pal wrote:
>>>> On 09/21/2012 09:23 AM, Rich Megginson wrote:
>>>>> On 09/21/2012 05:21 AM, Martin Kosek wrote:
>>>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your
>>>>>> case
>>>>>> nsslapd-sizelimit. This can be increased either globally or (this
>>>>>> seems as a
>>>>>> more secure solution) for a user you bind as:
>>>>>>
>>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
>>>>>>
>>>>>>
>>>>> Steven, are you saying that winsync only pulled over 2000 out of 5700
>>>>> users from AD into IPA? If so, then that's a limit on the winsync user
>>>>> that must be increased in AD.
>>>>>
>>>> Rich, it seems that it might make sense to file an RFE for the winsync
>>>> to support paging control.
>>> AD supports the paging control?  And this allows you to get around the
>>> search limit?
>>>
>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
>> The default usually 2K BTW.
> https://fedorahosted.org/389/ticket/472
>>>>>> Martin
>>>>>>
>>>>>> On 09/21/2012 04:43 AM, Steven Jones wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> It seems IPA has some sort of limit of searching it will only show
>>>>>>> the first 2k
>>>>>>> of user entries?
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Steven Jones
>>>>>>>
>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>
>>>>>>> Victoria University, Wellington, NZ
>>>>>>>
>>>>>>> 0064 4 463 6272
>>>>>>>
>>>>>>> -------------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> *From:* Rich Megginson [rmegg...@redhat.com]
>>>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m.
>>>>>>> *To:* Steven Jones
>>>>>>> *Cc:* freeipa-users@redhat.com
>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>>>
>>>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have imported users, but there are 5700 of them but I only have
>>>>>>>> 2000 which
>>>>>>>> corresponds to the view that AD gives you by default.  This makes
>>>>>>>> me think
>>>>>>>> that that limit is all the AD is allowing the query to see?
>>>>>>> You can use
>>>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
>>>>>>> what winsync sees when it searches.
>>>>>>>> Is there a way to expand it?
>>>>>>>>
>>>>>>>> regards
>>>>>>>>
>>>>>>>> Steven Jones
>>>>>>>>
>>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>>
>>>>>>>> Victoria University, Wellington, NZ
>>>>>>>>
>>>>>>>> 0064 4 463 6272
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> *From:* freeipa-users-boun...@redhat.com
>>>>>>>> [freeipa-users-boun...@redhat.com]
>>>>>>>> on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
>>>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m.
>>>>>>>> *Cc:* freeipa-users@redhat.com
>>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>>>>
>>>>>>>> I have hundreds of disable users in IPA now transferred from AD, is
>>>>>>>> there a
>>>>>>>> quick/clean way to purge them from IPA?
>>>>>>>>
>>>>>>>> regards
>>>>>>>>
>>>>>>>> Steven Jones
>>>>>>>>
>>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>>
>>>>>>>> Victoria University, Wellington, NZ
>>>>>>>>
>>>>>>>> 0064 4 463 6272
>>>>>>>>
>>>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users@redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to