> This and not bringing over all users because the user can have a sub-folder
> for mobile phone sync so gets wiped by the previous bug we discussed are
> total show stoppers for our IPA and RHEL desktop deployment,
This is a new one, perhaps I missed it. If an AD user has a sub-folder,
that user is not synced to IPA, and due to #355 winsync should not
delete entry that appears to be out of scope it then is deleted from IPA?
In this case, should winsync sync the sub-folder, or ignore it, and just
sync the user entry?
I think I asked / suggested for this as a flag --exclude-subfolders or
similar....It might fix it but AD's can be modded so much it might be a
nightmare and you will need some serious testing per site.
I will try and describe this as best I can....
so the user is (hope this is understandable)
What looks to be happening is (my best guess) the user gets synced over as its
-win-subtree= ou=VUW_Staff,dc=staff,dc=vuw etc but then there is a sort of
simlink thing from cn=exchangesyncusers,cn=user,dc=staff,dc=vuw etc thats
actually to a subdirectory under some of users... The ones with mobile smart
phones, maybe you can swing an iphone5 each to test...;)
Hence I think the known bug coming into play as the agreement is moving the
user over and its next object is the
cn=exchangesyncusers,cn=user,ou=VUW_Staff,dc=vuw etc so it promptly deletes
the user it just added.
This exchange-sync-user subfolder is invisible until you go to advanced view
and turn the users into folders and scroll down and find the user (it took our
exchange guru to show me) at that point this sync to exchange folder "appears"
and its oops time.
I guess the problem is AD can be changed so much from a vanilla layout that
finding these odd things and allowing for it in the winsync command is a bit of
a nightmare, especially if you dont know there is an advanced AD view!
I certainly suggest that unless whomever can deploy this doesnt do it live
first off but in a test environment with a FULL copy of their AD. My
management actually wanted me to do a simple test AD environment as a trial,
that wouldnt have picked this up until too late when I did it on production.
I think I asked for a --exclude-subfolders flag which would cover our disabled
users as its a subfolder under the --win-subtree=OU=VUW_Staff....but it looks
like this is a symlink at a peer level, so actually fixing the #355 bug would
stop it being an issue I think.
Im at home today so I cant supply much more info right now but I'll try on
Monday if you need more...
Freeipa-users mailing list