On 09/27/2012 05:50 PM, Steven Jones wrote:
Not sure what you mean by "symlink" (referral? alias?) but if #355
allows user entries that are non-leaf entries to sync then that's good.
This and not bringing over all users because the user can have a sub-folder for
mobile phone sync so gets wiped by the previous bug we discussed are total show
stoppers for our IPA and RHEL desktop deployment,
This is a new one, perhaps I missed it. If an AD user has a sub-folder,
that user is not synced to IPA, and due to #355 winsync should not
delete entry that appears to be out of scope it then is deleted from IPA?
In this case, should winsync sync the sub-folder, or ignore it, and just
sync the user entry?
I think I asked / suggested for this as a flag --exclude-subfolders or
similar....It might fix it but AD's can be modded so much it might be a
nightmare and you will need some serious testing per site.
I will try and describe this as best I can....
so the user is (hope this is understandable)
What looks to be happening is (my best guess) the user gets synced over as its
-win-subtree= ou=VUW_Staff,dc=staff,dc=vuw etc but then there is a sort of
simlink thing from cn=exchangesyncusers,cn=user,dc=staff,dc=vuw etc thats
actually to a subdirectory under some of users... The ones with mobile smart
phones, maybe you can swing an iphone5 each to test...;)
Hence I think the known bug coming into play as the agreement is moving the
user over and its next object is the
cn=exchangesyncusers,cn=user,ou=VUW_Staff,dc=vuw etc so it promptly deletes
the user it just added.
This exchange-sync-user subfolder is invisible until you go to advanced view and turn the
users into folders and scroll down and find the user (it took our exchange guru to show
me) at that point this sync to exchange folder "appears" and its oops time.
I guess the problem is AD can be changed so much from a vanilla layout that
finding these odd things and allowing for it in the winsync command is a bit of
a nightmare, especially if you dont know there is an advanced AD view!
I certainly suggest that unless whomever can deploy this doesnt do it live
first off but in a test environment with a FULL copy of their AD. My
management actually wanted me to do a simple test AD environment as a trial,
that wouldnt have picked this up until too late when I did it on production.
I think I asked for a --exclude-subfolders flag which would cover our disabled
users as its a subfolder under the --win-subtree=OU=VUW_Staff....but it looks
like this is a symlink at a peer level, so actually fixing the #355 bug would
stop it being an issue I think.
As far as exclude-subfolders, that's https://fedorahosted.org/389/ticket/460
Im at home today so I cant supply much more info right now but I'll try on
Monday if you need more...
Freeipa-users mailing list