> This and not bringing over all users because the user can have a sub-folder 
> for mobile phone sync so gets wiped by the previous bug we discussed are 
> total show stoppers for our IPA and RHEL desktop deployment,
This is a new one, perhaps I missed it.  If an AD user has a sub-folder,
that user is not synced to IPA, and due to #355     winsync should not
delete entry that appears to be out of scope it then is deleted from IPA?

In this case, should winsync sync the sub-folder, or ignore it, and just
sync the user entry?

I think I asked / suggested for this as a flag --exclude-subfolders or 
similar....It might fix it but AD's can be modded so much it might be a 
nightmare and you will need some serious testing per site.


I will try and describe this as best I can....

so the user is (hope this is understandable)

cn=user,ou=VUW_Staff,dc=staff,dc=vuw etc

What looks to be happening is (my best guess) the user gets synced over as its 
-win-subtree= ou=VUW_Staff,dc=staff,dc=vuw etc   but then there is a sort of 
simlink thing from cn=exchangesyncusers,cn=user,dc=staff,dc=vuw etc   thats 
actually to a subdirectory under some of  users...  The ones with mobile smart 
phones, maybe you can swing an iphone5 each to test...;)

Hence I think the known bug coming into play as the agreement is moving the 
user over and its next object is the 
cn=exchangesyncusers,cn=user,ou=VUW_Staff,dc=vuw  etc so it promptly deletes 
the user it just added.

This exchange-sync-user subfolder is invisible until you go to advanced view 
and turn the users into folders and scroll down and find the user (it took our 
exchange guru to show me) at that point this sync to exchange folder "appears" 
and its oops time.


I guess the problem is AD can be changed so much from a vanilla layout that 
finding these odd things and allowing for it in the winsync command is a bit of 
a nightmare, especially if you dont know there is an advanced AD view!

I certainly suggest that unless whomever can deploy this doesnt do it live 
first off but in a test environment with a FULL copy of their AD.  My 
management actually wanted me to do a simple test AD environment as a trial, 
that wouldnt have picked this up until too late when I did it on production.

I think I asked for a --exclude-subfolders flag which would cover our disabled 
users as its a subfolder under the --win-subtree=OU=VUW_Staff....but it looks 
like this is a symlink at a peer level, so actually fixing the #355 bug would 
stop it being an issue I think.

 Im at home today so I cant supply much more info right now but I'll try on 
Monday if you need more...


Freeipa-users mailing list

Reply via email to