Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-27 Thread Rich Megginson

On 09/25/2012 09:46 PM, Rob Crittenden wrote:

Steven Jones wrote:

Hi,

I dont have a ldapmodify command for changing something in AD.

I have increased the only scope I/we know about which is the return 
of objects from a search inside the AD gui but that might be specific 
to that view tool.  That is 2000 by default, Ive set 4, I am 
testing it now, if that doesn't work


Our best AD person is currently researching to see if its even 
possible to alter that hard code in AD.  The only way he can see is 
using a  windows/ad specific command line command to modify the 
internals of AD but he's never seen or read about doing it for this 
attribute.


Rich knows more about this than me, so maybe he knows what value 
you're changing, but I don't. Where exactly in the AD gui are you 
changing the value to 40k?


There are limits you can set that apply only to the GUI, and there are 
limits you can set which apply to LDAP.  It's possible you set some 
limits which only apply to the windows GUI.


http://support.microsoft.com/kb/315071

I don't see any setting which directly corresponds to sizelimit.  The 
only ones that control the size of the result set are: MaxPageSize, 
which seems only to apply to paged result searches; MaxTempTableSize, 
which sounds something like our idlistscanlimit and could be applicable 
here; and MaxResultSetSize, which could also be applicable here.


Do you have more than 1 entries in your active directory?  Might AD 
be attempting to return more than 262,144 bytes?






regards

rob



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 26 September 2012 1:31 p.m.
To: Rich Megginson
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Rich Megginson wrote:

On 09/25/2012 03:34 PM, Steven Jones wrote:

Hi,

I have set the filter size as 2 for the user and it makes no
difference.

Where did you set this?  In IPA?  In AD?  If so, where? How?
What does filter size mean?  To me, it means the size of an LDAP
search filter in an LDAP search request not the maximum number of
entries returned by a search.


The more details you can provide on what you did the better. This might
include the exact ldapmodify command, where you entered it in AD, the
attribute names, whichever is applicable.

regards

rob






___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-27 Thread Steven Jones
Its also a forest wide setting

:/


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Thursday, 27 September 2012 3:57 p.m.
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

Unable to get this to work on win2k3r2 even with enterprise admin permissions.

What I have found is this which Im about to try,

1. Use adsiedit.msc to bind to any domain controller.
2. Navigate through
Configuration
CN=Configuration,DC=DomainName,DC=COM
CN=Services
CN=Windows NT
CN=Directory Services
CN=Query-Policies
3. Double-click CN=Default Query Policy in the rght-hand pane.
4. Double-click LdapAdminLimits.
5. Select MaxPageSize and press Remove.
6. Modify the limit of MaxPageSize and press Add.
7. Press OK, Apply, and OK.
8. Close ADSI Edit.
9. After replication, the new limit should be available.

adsiedit is part of the ms support tools here,

http://www.microsoft.com/en-us/download/confirmation.aspx?id=7911



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Natxo Asenjo [natxo.ase...@gmail.com]
Sent: Thursday, 27 September 2012 2:04 a.m.
To: Rob Crittenden
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden rcrit...@redhat.com wrote:

 Steven Jones wrote:

 Hi,

 I dont have a ldapmodify command for changing something in AD.

 I have increased the only scope I/we know about which is the return of 
 objects from a search inside the AD gui but that might be specific to that 
 view tool.  That is 2000 by default, Ive set 4, I am testing it now, if 
 that doesn't work

 Our best AD person is currently researching to see if its even possible to 
 alter that hard code in AD.  The only way he can see is using a  windows/ad 
 specific command line command to modify the internals of AD but he's never 
 seen or read about doing it for this attribute.



sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits
attribute of the Default Query Policy object in the Query-Policies
container. We needed to do this to be able to get more than 1000
objects from AD a long time ago.

The details I used back then were here:

http://technet.microsoft.com/en-us/library/aa998536.aspx


cmd.exe - ntdsutil.exe (on a domain controller)

At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

show values [enter]
ldap policy: show values

Policy  Current(New)
MaxPoolThreads  4
MaxDatagramRecv 4096
MaxReceiveBuffer10485760
InitRecvTimeout 120
MaxConnections  5000
MaxConnIdleTime 900
MaxPageSize 1000
MaxQueryDuration120
MaxTempTableSize1
MaxResultSetSize262144
MaxNotificationPerConn  5
MaxValRange 1500

We want to change MaxPageSize.

First we need to authenticate:
connections [enter]
set creds domain user pwd
connect to domain your.domain
q

then we got to ldap policy

set MaxPageSize to 2000
Commit Changes
quit
quit

--
natxo



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-26 Thread Natxo Asenjo
On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden rcrit...@redhat.com wrote:

 Steven Jones wrote:

 Hi,

 I dont have a ldapmodify command for changing something in AD.

 I have increased the only scope I/we know about which is the return of 
 objects from a search inside the AD gui but that might be specific to that 
 view tool.  That is 2000 by default, Ive set 4, I am testing it now, if 
 that doesn't work

 Our best AD person is currently researching to see if its even possible to 
 alter that hard code in AD.  The only way he can see is using a  windows/ad 
 specific command line command to modify the internals of AD but he's never 
 seen or read about doing it for this attribute.



sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits
attribute of the Default Query Policy object in the Query-Policies
container. We needed to do this to be able to get more than 1000
objects from AD a long time ago.

The details I used back then were here:

http://technet.microsoft.com/en-us/library/aa998536.aspx


cmd.exe - ntdsutil.exe (on a domain controller)

At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

show values [enter]
ldap policy: show values

Policy  Current(New)
MaxPoolThreads  4
MaxDatagramRecv 4096
MaxReceiveBuffer10485760
InitRecvTimeout 120
MaxConnections  5000
MaxConnIdleTime 900
MaxPageSize 1000
MaxQueryDuration120
MaxTempTableSize1
MaxResultSetSize262144
MaxNotificationPerConn  5
MaxValRange 1500

We want to change MaxPageSize.

First we need to authenticate:
connections [enter]
set creds domain user pwd
connect to domain your.domain
q

then we got to ldap policy

set MaxPageSize to 2000
Commit Changes
quit
quit

-- 
natxo

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-26 Thread Steven Jones
Hi,

Unable to get this to work on win2k3r2 even with enterprise admin permissions.

What I have found is this which Im about to try,

1. Use adsiedit.msc to bind to any domain controller.
2. Navigate through
Configuration
CN=Configuration,DC=DomainName,DC=COM
CN=Services
CN=Windows NT
CN=Directory Services
CN=Query-Policies
3. Double-click CN=Default Query Policy in the rght-hand pane.
4. Double-click LdapAdminLimits.
5. Select MaxPageSize and press Remove.
6. Modify the limit of MaxPageSize and press Add.
7. Press OK, Apply, and OK.
8. Close ADSI Edit.
9. After replication, the new limit should be available.

adsiedit is part of the ms support tools here,

http://www.microsoft.com/en-us/download/confirmation.aspx?id=7911



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Natxo Asenjo [natxo.ase...@gmail.com]
Sent: Thursday, 27 September 2012 2:04 a.m.
To: Rob Crittenden
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden rcrit...@redhat.com wrote:

 Steven Jones wrote:

 Hi,

 I dont have a ldapmodify command for changing something in AD.

 I have increased the only scope I/we know about which is the return of 
 objects from a search inside the AD gui but that might be specific to that 
 view tool.  That is 2000 by default, Ive set 4, I am testing it now, if 
 that doesn't work

 Our best AD person is currently researching to see if its even possible to 
 alter that hard code in AD.  The only way he can see is using a  windows/ad 
 specific command line command to modify the internals of AD but he's never 
 seen or read about doing it for this attribute.



sounds like you need to upgrade your MaxPageSize and LDAPAdminLimits
attribute of the Default Query Policy object in the Query-Policies
container. We needed to do this to be able to get more than 1000
objects from AD a long time ago.

The details I used back then were here:

http://technet.microsoft.com/en-us/library/aa998536.aspx


cmd.exe - ntdsutil.exe (on a domain controller)

At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

show values [enter]
ldap policy: show values

Policy  Current(New)
MaxPoolThreads  4
MaxDatagramRecv 4096
MaxReceiveBuffer10485760
InitRecvTimeout 120
MaxConnections  5000
MaxConnIdleTime 900
MaxPageSize 1000
MaxQueryDuration120
MaxTempTableSize1
MaxResultSetSize262144
MaxNotificationPerConn  5
MaxValRange 1500

We want to change MaxPageSize.

First we need to authenticate:
connections [enter]
set creds domain user pwd
connect to domain your.domain
q

then we got to ldap policy

set MaxPageSize to 2000
Commit Changes
quit
quit

--
natxo



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Rich Megginson

On 09/24/2012 09:49 PM, Steven Jones wrote:

Hi,

Im confused here, has no one tried to winsync 2000+ users before?


You are the first one to run into this problem.



Are there any docs on working around this limit?


In AD?



Ive up'd the user to 2


How?  What exactly did you do?


but that seems to have had no effectmy AD ppl dont know of any other way to 
increase that at present.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 25 September 2012 3:17 p.m.
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

I am trying to run this and getting search exceeded.

ldapsearch -xLLL -Dwinsync_binddn  -wpasswd  -hAD_host  -s sub -b 
OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz cn=* dn  ad.dns.txt

Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they 
also lose their IPA groups which is a bit of a bummer.

:(

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Saturday, 22 September 2012 3:46 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/21/2012 09:18 AM, Dmitri Pal wrote:

On 09/21/2012 11:07 AM, Rich Megginson wrote:

On 09/21/2012 09:04 AM, Dmitri Pal wrote:

On 09/21/2012 09:23 AM, Rich Megginson wrote:

On 09/21/2012 05:21 AM, Martin Kosek wrote:

When using bare ldapsearch, you are hitting 389-ds limits - in your
case
nsslapd-sizelimit. This can be increased either globally or (this
seems as a
more secure solution) for a user you bind as:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html



Steven, are you saying that winsync only pulled over 2000 out of 5700
users from AD into IPA? If so, then that's a limit on the winsync user
that must be increased in AD.


Rich, it seems that it might make sense to file an RFE for the winsync
to support paging control.

AD supports the paging control?  And this allows you to get around the
search limit?


http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
The default usually 2K BTW.

https://fedorahosted.org/389/ticket/472

Martin

On 09/21/2012 04:43 AM, Steven Jones wrote:

Hi,

It seems IPA has some sort of limit of searching it will only show
the first 2k
of user entries?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Friday, 21 September 2012 11:38 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 03:52 PM, Steven Jones wrote:

Hi,

I have imported users, but there are 5700 of them but I only have
2000 which
corresponds to the view that AD gives you by default.  This makes
me think
that that limit is all the AD is allowing the query to see?

You can use
https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
what winsync sees when it searches.

Is there a way to expand it?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---


*From:* freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com]
on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
*Sent:* Friday, 21 September 2012 8:44 a.m.
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

I have hundreds of disable users in IPA now transferred from AD, is
there a
quick/clean way to purge them from IPA?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Steven Jones
Hi,

I have set the filter size as 2 for the user and it makes no difference.

So unless its somewhere else configurable it cant be easily done.

via adsi edit? and if so what is the value called?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 26 September 2012 7:39 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/24/2012 11:49 PM, Steven Jones wrote:
 Hi,

 Im confused here, has no one tried to winsync 2000+ users before?

 Are there any docs on working around this limit?

 Ive up'd the user to 2 but that seems to have had no effectmy AD ppl 
 dont know of any other way to increase that at present.

According to our gurus:

The limit is in AD, which has a sizelimit of 2000 by default.  There are
two ways around this:
1) Go into AD and set the sizelimit for the sync user to be greater than
the number of entries.
2) Have DS winsync use simple paged results - this is a code change on
our side and we are tracking it for one of the upcoming releases
https://fedorahosted.org/389/ticket/472

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
 behalf of Steven Jones [steven.jo...@vuw.ac.nz]
 Sent: Tuesday, 25 September 2012 3:17 p.m.
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

 Hi,

 I am trying to run this and getting search exceeded.

 ldapsearch -xLLL -D winsync_binddn -w passwd -h AD_host -s sub -b 
 OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz cn=* dn  ad.dns.txt

 Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they 
 also lose their IPA groups which is a bit of a bummer.

 :(

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
 behalf of Rich Megginson [rmegg...@redhat.com]
 Sent: Saturday, 22 September 2012 3:46 a.m.
 To: d...@redhat.com
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

 On 09/21/2012 09:18 AM, Dmitri Pal wrote:
 On 09/21/2012 11:07 AM, Rich Megginson wrote:
 On 09/21/2012 09:04 AM, Dmitri Pal wrote:
 On 09/21/2012 09:23 AM, Rich Megginson wrote:
 On 09/21/2012 05:21 AM, Martin Kosek wrote:
 When using bare ldapsearch, you are hitting 389-ds limits - in your
 case
 nsslapd-sizelimit. This can be increased either globally or (this
 seems as a
 more secure solution) for a user you bind as:

 https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html


 Steven, are you saying that winsync only pulled over 2000 out of 5700
 users from AD into IPA? If so, then that's a limit on the winsync user
 that must be increased in AD.

 Rich, it seems that it might make sense to file an RFE for the winsync
 to support paging control.
 AD supports the paging control?  And this allows you to get around the
 search limit?

 http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
 The default usually 2K BTW.
 https://fedorahosted.org/389/ticket/472
 Martin

 On 09/21/2012 04:43 AM, Steven Jones wrote:
 Hi,

 It seems IPA has some sort of limit of searching it will only show
 the first 2k
 of user entries?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* Rich Megginson [rmegg...@redhat.com]
 *Sent:* Friday, 21 September 2012 11:38 a.m.
 *To:* Steven Jones
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 On 09/20/2012 03:52 PM, Steven Jones wrote:
 Hi,

 I have imported users, but there are 5700 of them but I only have
 2000 which
 corresponds to the view that AD gives you by default.  This makes
 me think
 that that limit is all the AD is allowing the query to see?
 You can use
 https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
 what winsync sees when it searches.
 Is there a way to expand it?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* freeipa-users-boun...@redhat.com
 [freeipa-users-boun...@redhat.com]
 on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
 *Sent:* Friday, 21 September 2012 8:44

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Rich Megginson

On 09/25/2012 03:34 PM, Steven Jones wrote:

Hi,

I have set the filter size as 2 for the user and it makes no difference.

Where did you set this?  In IPA?  In AD?  If so, where? How?
What does filter size mean?  To me, it means the size of an LDAP 
search filter in an LDAP search request not the maximum number of 
entries returned by a search.


So unless its somewhere else configurable it cant be easily done.

via adsi edit? and if so what is the value called?

I would like to know the answers to these questions, but I do not.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 26 September 2012 7:39 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/24/2012 11:49 PM, Steven Jones wrote:

Hi,

Im confused here, has no one tried to winsync 2000+ users before?

Are there any docs on working around this limit?

Ive up'd the user to 2 but that seems to have had no effectmy AD ppl 
dont know of any other way to increase that at present.

According to our gurus:

The limit is in AD, which has a sizelimit of 2000 by default.  There are
two ways around this:
1) Go into AD and set the sizelimit for the sync user to be greater than
the number of entries.
2) Have DS winsync use simple paged results - this is a code change on
our side and we are tracking it for one of the upcoming releases
https://fedorahosted.org/389/ticket/472


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 25 September 2012 3:17 p.m.
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

I am trying to run this and getting search exceeded.

ldapsearch -xLLL -Dwinsync_binddn  -wpasswd  -hAD_host  -s sub -b 
OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz cn=* dn  ad.dns.txt

Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they 
also lose their IPA groups which is a bit of a bummer.

:(

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Saturday, 22 September 2012 3:46 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/21/2012 09:18 AM, Dmitri Pal wrote:

On 09/21/2012 11:07 AM, Rich Megginson wrote:

On 09/21/2012 09:04 AM, Dmitri Pal wrote:

On 09/21/2012 09:23 AM, Rich Megginson wrote:

On 09/21/2012 05:21 AM, Martin Kosek wrote:

When using bare ldapsearch, you are hitting 389-ds limits - in your
case
nsslapd-sizelimit. This can be increased either globally or (this
seems as a
more secure solution) for a user you bind as:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html



Steven, are you saying that winsync only pulled over 2000 out of 5700
users from AD into IPA? If so, then that's a limit on the winsync user
that must be increased in AD.


Rich, it seems that it might make sense to file an RFE for the winsync
to support paging control.

AD supports the paging control?  And this allows you to get around the
search limit?


http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
The default usually 2K BTW.

https://fedorahosted.org/389/ticket/472

Martin

On 09/21/2012 04:43 AM, Steven Jones wrote:

Hi,

It seems IPA has some sort of limit of searching it will only show
the first 2k
of user entries?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Friday, 21 September 2012 11:38 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 03:52 PM, Steven Jones wrote:

Hi,

I have imported users, but there are 5700 of them but I only have
2000 which
corresponds to the view that AD gives you by default.  This makes
me think
that that limit is all the AD is allowing the query to see?

You can use
https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
what winsync sees when it searches.

Is there a way to expand it?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Rob Crittenden

Rich Megginson wrote:

On 09/25/2012 03:34 PM, Steven Jones wrote:

Hi,

I have set the filter size as 2 for the user and it makes no
difference.

Where did you set this?  In IPA?  In AD?  If so, where? How?
What does filter size mean?  To me, it means the size of an LDAP
search filter in an LDAP search request not the maximum number of
entries returned by a search.


The more details you can provide on what you did the better. This might 
include the exact ldapmodify command, where you entered it in AD, the 
attribute names, whichever is applicable.


regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Steven Jones
Hi,

I dont have a ldapmodify command for changing something in AD.

I have increased the only scope I/we know about which is the return of objects 
from a search inside the AD gui but that might be specific to that view tool.  
That is 2000 by default, Ive set 4, I am testing it now, if that doesn't 
work

Our best AD person is currently researching to see if its even possible to 
alter that hard code in AD.  The only way he can see is using a  windows/ad 
specific command line command to modify the internals of AD but he's never seen 
or read about doing it for this attribute.  

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 26 September 2012 1:31 p.m.
To: Rich Megginson
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Rich Megginson wrote:
 On 09/25/2012 03:34 PM, Steven Jones wrote:
 Hi,

 I have set the filter size as 2 for the user and it makes no
 difference.
 Where did you set this?  In IPA?  In AD?  If so, where? How?
 What does filter size mean?  To me, it means the size of an LDAP
 search filter in an LDAP search request not the maximum number of
 entries returned by a search.

The more details you can provide on what you did the better. This might
include the exact ldapmodify command, where you entered it in AD, the
attribute names, whichever is applicable.

regards

rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Rob Crittenden

Steven Jones wrote:

Hi,

I dont have a ldapmodify command for changing something in AD.

I have increased the only scope I/we know about which is the return of objects 
from a search inside the AD gui but that might be specific to that view tool.  
That is 2000 by default, Ive set 4, I am testing it now, if that doesn't 
work

Our best AD person is currently researching to see if its even possible to 
alter that hard code in AD.  The only way he can see is using a  windows/ad 
specific command line command to modify the internals of AD but he's never seen 
or read about doing it for this attribute.


Rich knows more about this than me, so maybe he knows what value you're 
changing, but I don't. Where exactly in the AD gui are you changing the 
value to 40k?


regards

rob



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 26 September 2012 1:31 p.m.
To: Rich Megginson
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Rich Megginson wrote:

On 09/25/2012 03:34 PM, Steven Jones wrote:

Hi,

I have set the filter size as 2 for the user and it makes no
difference.

Where did you set this?  In IPA?  In AD?  If so, where? How?
What does filter size mean?  To me, it means the size of an LDAP
search filter in an LDAP search request not the maximum number of
entries returned by a search.


The more details you can provide on what you did the better. This might
include the exact ldapmodify command, where you entered it in AD, the
attribute names, whichever is applicable.

regards

rob




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-24 Thread Steven Jones
Hi,

I am trying to run this and getting search exceeded.

ldapsearch -xLLL -D winsync_binddn -w passwd -h AD_host -s sub -b 
OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz cn=* dn  ad.dns.txt

Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they 
also lose their IPA groups which is a bit of a bummer.

:(

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Saturday, 22 September 2012 3:46 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/21/2012 09:18 AM, Dmitri Pal wrote:
 On 09/21/2012 11:07 AM, Rich Megginson wrote:
 On 09/21/2012 09:04 AM, Dmitri Pal wrote:
 On 09/21/2012 09:23 AM, Rich Megginson wrote:
 On 09/21/2012 05:21 AM, Martin Kosek wrote:
 When using bare ldapsearch, you are hitting 389-ds limits - in your
 case
 nsslapd-sizelimit. This can be increased either globally or (this
 seems as a
 more secure solution) for a user you bind as:

 https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html


 Steven, are you saying that winsync only pulled over 2000 out of 5700
 users from AD into IPA? If so, then that's a limit on the winsync user
 that must be increased in AD.

 Rich, it seems that it might make sense to file an RFE for the winsync
 to support paging control.
 AD supports the paging control?  And this allows you to get around the
 search limit?

 http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
 The default usually 2K BTW.
https://fedorahosted.org/389/ticket/472

 Martin

 On 09/21/2012 04:43 AM, Steven Jones wrote:
 Hi,

 It seems IPA has some sort of limit of searching it will only show
 the first 2k
 of user entries?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* Rich Megginson [rmegg...@redhat.com]
 *Sent:* Friday, 21 September 2012 11:38 a.m.
 *To:* Steven Jones
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 On 09/20/2012 03:52 PM, Steven Jones wrote:
 Hi,

 I have imported users, but there are 5700 of them but I only have
 2000 which
 corresponds to the view that AD gives you by default.  This makes
 me think
 that that limit is all the AD is allowing the query to see?
 You can use
 https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
 what winsync sees when it searches.
 Is there a way to expand it?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* freeipa-users-boun...@redhat.com
 [freeipa-users-boun...@redhat.com]
 on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
 *Sent:* Friday, 21 September 2012 8:44 a.m.
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 I have hundreds of disable users in IPA now transferred from AD, is
 there a
 quick/clean way to purge them from IPA?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-24 Thread Steven Jones
Hi,

Im confused here, has no one tried to winsync 2000+ users before?  

Are there any docs on working around this limit?   

Ive up'd the user to 2 but that seems to have had no effectmy AD ppl 
dont know of any other way to increase that at present.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 25 September 2012 3:17 p.m.
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

I am trying to run this and getting search exceeded.

ldapsearch -xLLL -D winsync_binddn -w passwd -h AD_host -s sub -b 
OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz cn=* dn  ad.dns.txt

Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they 
also lose their IPA groups which is a bit of a bummer.

:(

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Saturday, 22 September 2012 3:46 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/21/2012 09:18 AM, Dmitri Pal wrote:
 On 09/21/2012 11:07 AM, Rich Megginson wrote:
 On 09/21/2012 09:04 AM, Dmitri Pal wrote:
 On 09/21/2012 09:23 AM, Rich Megginson wrote:
 On 09/21/2012 05:21 AM, Martin Kosek wrote:
 When using bare ldapsearch, you are hitting 389-ds limits - in your
 case
 nsslapd-sizelimit. This can be increased either globally or (this
 seems as a
 more secure solution) for a user you bind as:

 https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html


 Steven, are you saying that winsync only pulled over 2000 out of 5700
 users from AD into IPA? If so, then that's a limit on the winsync user
 that must be increased in AD.

 Rich, it seems that it might make sense to file an RFE for the winsync
 to support paging control.
 AD supports the paging control?  And this allows you to get around the
 search limit?

 http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
 The default usually 2K BTW.
https://fedorahosted.org/389/ticket/472

 Martin

 On 09/21/2012 04:43 AM, Steven Jones wrote:
 Hi,

 It seems IPA has some sort of limit of searching it will only show
 the first 2k
 of user entries?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* Rich Megginson [rmegg...@redhat.com]
 *Sent:* Friday, 21 September 2012 11:38 a.m.
 *To:* Steven Jones
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 On 09/20/2012 03:52 PM, Steven Jones wrote:
 Hi,

 I have imported users, but there are 5700 of them but I only have
 2000 which
 corresponds to the view that AD gives you by default.  This makes
 me think
 that that limit is all the AD is allowing the query to see?
 You can use
 https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
 what winsync sees when it searches.
 Is there a way to expand it?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* freeipa-users-boun...@redhat.com
 [freeipa-users-boun...@redhat.com]
 on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
 *Sent:* Friday, 21 September 2012 8:44 a.m.
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 I have hundreds of disable users in IPA now transferred from AD, is
 there a
 quick/clean way to purge them from IPA?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-23 Thread Steven Jones
Hi,

Actually I am unable to see more than 2000 users in IPA, it seems to be a limit 
in IPA which coincides with AD's display limithence I was confused.

So it just happens that there is a default windows limit of 2000 users to 
display when you search. I am however fairly sure it stopped the complete sync, 
I need to double check, but Im pretty sure as I think I did searches in IPA and 
some users were not there initially (I then set the user's search to 2 and 
it seemed to have all users there).  However while wondering what was wrong I 
realised that I should be able to see 2028 in IPA (28 non-AD users), I couldnt, 
I still cant, I can only see 2000.

I found a setting saying 100 somethings pages? (sorry I forget and Im at home 
with no VPN right now)  in IPA but when I try to increase it a selinux problem 
/ config stops me, happens at the command line as well.So I have a case with RH 
support to fix that

NB Once its fixed I will re-set the AD user to 2000 and backout the snapshot on 
the IPA master and re-test to make sure what I have said above is correct.

In which case, yes you need to mention it in the docs, though maybe its only a 
win2k3r2 issue.  Its not a biggee as you can set the user to show 20,000, at 
the very least that will work.

I will re-test / double check all this before you commit time pls.

The other thing is when users come across they seem to have lost their IPA user 
group settings?  again I need to check this as I was asked to urgently setup a 
rsync so left it before I'd looked in detail at that.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Saturday, 22 September 2012 3:46 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/21/2012 09:18 AM, Dmitri Pal wrote:
 On 09/21/2012 11:07 AM, Rich Megginson wrote:
 On 09/21/2012 09:04 AM, Dmitri Pal wrote:
 On 09/21/2012 09:23 AM, Rich Megginson wrote:
 On 09/21/2012 05:21 AM, Martin Kosek wrote:
 When using bare ldapsearch, you are hitting 389-ds limits - in your
 case
 nsslapd-sizelimit. This can be increased either globally or (this
 seems as a
 more secure solution) for a user you bind as:

 https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html


 Steven, are you saying that winsync only pulled over 2000 out of 5700
 users from AD into IPA? If so, then that's a limit on the winsync user
 that must be increased in AD.

 Rich, it seems that it might make sense to file an RFE for the winsync
 to support paging control.
 AD supports the paging control?  And this allows you to get around the
 search limit?

 http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
 The default usually 2K BTW.
https://fedorahosted.org/389/ticket/472

 Martin

 On 09/21/2012 04:43 AM, Steven Jones wrote:
 Hi,

 It seems IPA has some sort of limit of searching it will only show
 the first 2k
 of user entries?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* Rich Megginson [rmegg...@redhat.com]
 *Sent:* Friday, 21 September 2012 11:38 a.m.
 *To:* Steven Jones
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 On 09/20/2012 03:52 PM, Steven Jones wrote:
 Hi,

 I have imported users, but there are 5700 of them but I only have
 2000 which
 corresponds to the view that AD gives you by default.  This makes
 me think
 that that limit is all the AD is allowing the query to see?
 You can use
 https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
 what winsync sees when it searches.
 Is there a way to expand it?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* freeipa-users-boun...@redhat.com
 [freeipa-users-boun...@redhat.com]
 on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
 *Sent:* Friday, 21 September 2012 8:44 a.m.
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 I have hundreds of disable users in IPA now transferred from AD, is
 there a
 quick/clean way to purge them from IPA?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-21 Thread Rich Megginson

On 09/21/2012 05:21 AM, Martin Kosek wrote:

When using bare ldapsearch, you are hitting 389-ds limits - in your case
nsslapd-sizelimit. This can be increased either globally or (this seems as a
more secure solution) for a user you bind as:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html


Steven, are you saying that winsync only pulled over 2000 out of 5700 
users from AD into IPA? If so, then that's a limit on the winsync user 
that must be increased in AD.





Martin

On 09/21/2012 04:43 AM, Steven Jones wrote:

Hi,

It seems IPA has some sort of limit of searching it will only show the first 2k
of user entries?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Friday, 21 September 2012 11:38 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 03:52 PM, Steven Jones wrote:

Hi,

I have imported users, but there are 5700 of them but I only have 2000 which
corresponds to the view that AD gives you by default.  This makes me think
that that limit is all the AD is allowing the query to see?

You can use https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
what winsync sees when it searches.

Is there a way to expand it?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---
*From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
*Sent:* Friday, 21 September 2012 8:44 a.m.
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

I have hundreds of disable users in IPA now transferred from AD, is there a
quick/clean way to purge them from IPA?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-21 Thread Dmitri Pal
On 09/21/2012 09:23 AM, Rich Megginson wrote:
 On 09/21/2012 05:21 AM, Martin Kosek wrote:
 When using bare ldapsearch, you are hitting 389-ds limits - in your case
 nsslapd-sizelimit. This can be increased either globally or (this
 seems as a
 more secure solution) for a user you bind as:

 https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html


 Steven, are you saying that winsync only pulled over 2000 out of 5700
 users from AD into IPA? If so, then that's a limit on the winsync user
 that must be increased in AD.


Rich, it seems that it might make sense to file an RFE for the winsync
to support paging control.



 Martin

 On 09/21/2012 04:43 AM, Steven Jones wrote:
 Hi,

 It seems IPA has some sort of limit of searching it will only show
 the first 2k
 of user entries?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---

 *From:* Rich Megginson [rmegg...@redhat.com]
 *Sent:* Friday, 21 September 2012 11:38 a.m.
 *To:* Steven Jones
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 On 09/20/2012 03:52 PM, Steven Jones wrote:
 Hi,

 I have imported users, but there are 5700 of them but I only have
 2000 which
 corresponds to the view that AD gives you by default.  This makes
 me think
 that that limit is all the AD is allowing the query to see?
 You can use
 https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
 what winsync sees when it searches.
 Is there a way to expand it?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---

 *From:* freeipa-users-boun...@redhat.com
 [freeipa-users-boun...@redhat.com]
 on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
 *Sent:* Friday, 21 September 2012 8:44 a.m.
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 I have hundreds of disable users in IPA now transferred from AD, is
 there a
 quick/clean way to purge them from IPA?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-21 Thread Rich Megginson

On 09/21/2012 09:04 AM, Dmitri Pal wrote:

On 09/21/2012 09:23 AM, Rich Megginson wrote:

On 09/21/2012 05:21 AM, Martin Kosek wrote:

When using bare ldapsearch, you are hitting 389-ds limits - in your case
nsslapd-sizelimit. This can be increased either globally or (this
seems as a
more secure solution) for a user you bind as:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html


Steven, are you saying that winsync only pulled over 2000 out of 5700
users from AD into IPA? If so, then that's a limit on the winsync user
that must be increased in AD.


Rich, it seems that it might make sense to file an RFE for the winsync
to support paging control.


AD supports the paging control?  And this allows you to get around the 
search limit?





Martin

On 09/21/2012 04:43 AM, Steven Jones wrote:

Hi,

It seems IPA has some sort of limit of searching it will only show
the first 2k
of user entries?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---

*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Friday, 21 September 2012 11:38 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 03:52 PM, Steven Jones wrote:

Hi,

I have imported users, but there are 5700 of them but I only have
2000 which
corresponds to the view that AD gives you by default.  This makes
me think
that that limit is all the AD is allowing the query to see?

You can use
https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
what winsync sees when it searches.

Is there a way to expand it?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---

*From:* freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com]
on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
*Sent:* Friday, 21 September 2012 8:44 a.m.
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

I have hundreds of disable users in IPA now transferred from AD, is
there a
quick/clean way to purge them from IPA?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-21 Thread Dmitri Pal
On 09/21/2012 11:07 AM, Rich Megginson wrote:
 On 09/21/2012 09:04 AM, Dmitri Pal wrote:
 On 09/21/2012 09:23 AM, Rich Megginson wrote:
 On 09/21/2012 05:21 AM, Martin Kosek wrote:
 When using bare ldapsearch, you are hitting 389-ds limits - in your
 case
 nsslapd-sizelimit. This can be increased either globally or (this
 seems as a
 more secure solution) for a user you bind as:

 https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html


 Steven, are you saying that winsync only pulled over 2000 out of 5700
 users from AD into IPA? If so, then that's a limit on the winsync user
 that must be increased in AD.

 Rich, it seems that it might make sense to file an RFE for the winsync
 to support paging control.

 AD supports the paging control?  And this allows you to get around the
 search limit?


http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
The default usually 2K BTW.


 Martin

 On 09/21/2012 04:43 AM, Steven Jones wrote:
 Hi,

 It seems IPA has some sort of limit of searching it will only show
 the first 2k
 of user entries?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* Rich Megginson [rmegg...@redhat.com]
 *Sent:* Friday, 21 September 2012 11:38 a.m.
 *To:* Steven Jones
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 On 09/20/2012 03:52 PM, Steven Jones wrote:
 Hi,

 I have imported users, but there are 5700 of them but I only have
 2000 which
 corresponds to the view that AD gives you by default.  This makes
 me think
 that that limit is all the AD is allowing the query to see?
 You can use
 https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
 what winsync sees when it searches.
 Is there a way to expand it?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* freeipa-users-boun...@redhat.com
 [freeipa-users-boun...@redhat.com]
 on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
 *Sent:* Friday, 21 September 2012 8:44 a.m.
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 I have hundreds of disable users in IPA now transferred from AD, is
 there a
 quick/clean way to purge them from IPA?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-21 Thread Rich Megginson

On 09/21/2012 09:18 AM, Dmitri Pal wrote:

On 09/21/2012 11:07 AM, Rich Megginson wrote:

On 09/21/2012 09:04 AM, Dmitri Pal wrote:

On 09/21/2012 09:23 AM, Rich Megginson wrote:

On 09/21/2012 05:21 AM, Martin Kosek wrote:

When using bare ldapsearch, you are hitting 389-ds limits - in your
case
nsslapd-sizelimit. This can be increased either globally or (this
seems as a
more secure solution) for a user you bind as:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html



Steven, are you saying that winsync only pulled over 2000 out of 5700
users from AD into IPA? If so, then that's a limit on the winsync user
that must be increased in AD.


Rich, it seems that it might make sense to file an RFE for the winsync
to support paging control.

AD supports the paging control?  And this allows you to get around the
search limit?


http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
The default usually 2K BTW.

https://fedorahosted.org/389/ticket/472



Martin

On 09/21/2012 04:43 AM, Steven Jones wrote:

Hi,

It seems IPA has some sort of limit of searching it will only show
the first 2k
of user entries?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Friday, 21 September 2012 11:38 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 03:52 PM, Steven Jones wrote:

Hi,

I have imported users, but there are 5700 of them but I only have
2000 which
corresponds to the view that AD gives you by default.  This makes
me think
that that limit is all the AD is allowing the query to see?

You can use
https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
what winsync sees when it searches.

Is there a way to expand it?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---


*From:* freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com]
on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
*Sent:* Friday, 21 September 2012 8:44 a.m.
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

I have hundreds of disable users in IPA now transferred from AD, is
there a
quick/clean way to purge them from IPA?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-20 Thread Steven Jones
I have hundreds of disable users in IPA now transferred from AD, is there a 
quick/clean way to purge them from IPA?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-20 Thread Rich Megginson

On 09/20/2012 02:43 PM, Steven Jones wrote:

Some comments on the win sync agreement syntax.

Hi,

I'd like that command ipa-replica-manage connect  improved if possible,

1) A flag on --win-subtree not to include sub-directories under the 
specified OU= as I think it is why Ive picked up lots of disabled 
users and templates. Also the capability to specify more than one OU 
as I at least have 2 OU= with users in (maybe it can do that I just 
dont see it)

https://fedorahosted.org/389/ticket/460


2) A flag something like --exclude='LDAP criteria/attribute'=disabled 
such that any disabled users in AD are not transferred, I just 
transferred 7 years of ex-users and 200+ templates I would rather not 
havenow I think I have a huge cleanup task.  Not just exclude, say 
location, so if I only want to sync users in one city (say) 
--include-only=LDAP Location'=Wellington

https://fedorahosted.org/389/ticket/460


Not sure if these are hugely useful but they would have helped me.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on behalf of Steven Jones 
[steven.jo...@vuw.ac.nz]

*Sent:* Thursday, 20 September 2012 2:48 p.m.
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

it isnt,

Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working 
except Im also getting some rubbish so its looking like the import 
script/query to AD isnt right.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on behalf of Steven Jones 
[steven.jo...@vuw.ac.nz]

*Sent:* Thursday, 20 September 2012 12:15 p.m.
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

I have -win-subtree cn= etc I take it that cn= is fine and that ou= 
and cn= are the same thing?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Thursday, 20 September 2012 11:03 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/19/2012 04:55 PM, Steven Jones wrote:

Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog 
program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for 
database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog 
program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for 
database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389): 
State: stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389): 
State: stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
ruv_add_csn_inprogress: successfully inserted csn 
504d01f80011 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state 
information from entry 
uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 
504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog 
program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for 
database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog 
program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for 
database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f80011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389): 
State: stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389): 
State: stop_fatal_error - stop_fatal_error

=


Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?





regards

Steven Jones

Technical Specialist

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-20 Thread Dmitri Pal
On 09/20/2012 04:43 PM, Steven Jones wrote:
 Some comments on the win sync agreement syntax.

 Hi,

 I'd like that command ipa-replica-manage connect  improved if possible,

 1) A flag on --win-subtree not to include sub-directories under the
 specified OU= as I think it is why Ive picked up lots of disabled
 users and templates. Also the capability to specify more than one OU
 as I at least have 2 OU= with users in (maybe it can do that I just
 dont see it)

 2) A flag something like --exclude='LDAP criteria/attribute'=disabled
 such that any disabled users in AD are not transferred, I just
 transferred 7 years of ex-users and 200+ templates I would rather not
 havenow I think I have a huge cleanup task.  Not just exclude, say
 location, so if I only want to sync users in one city (say)
 --include-only=LDAP Location'=Wellington

 Not sure if these are hugely useful but they would have helped me.

Thank you for the feedback.
Would you mind filing BZs or trac tickets?


 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 *From:* freeipa-users-boun...@redhat.com
 [freeipa-users-boun...@redhat.com] on behalf of Steven Jones
 [steven.jo...@vuw.ac.nz]
 *Sent:* Thursday, 20 September 2012 2:48 p.m.
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 it isnt,

 Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working
 except Im also getting some rubbish so its looking like the import
 script/query to AD isnt right.

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 *From:* freeipa-users-boun...@redhat.com
 [freeipa-users-boun...@redhat.com] on behalf of Steven Jones
 [steven.jo...@vuw.ac.nz]
 *Sent:* Thursday, 20 September 2012 12:15 p.m.
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 Hi,

 I have -win-subtree cn= etc I take it that cn= is fine and that ou=
 and cn= are the same thing?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 *From:* Rich Megginson [rmegg...@redhat.com]
 *Sent:* Thursday, 20 September 2012 11:03 a.m.
 *To:* Steven Jones
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

 On 09/19/2012 04:55 PM, Steven Jones wrote:
 Hi,


 Sample of errors log,

 =
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
 program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
 database
 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
 program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
 database
 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv:
 successfully committed csn 504d01f70011
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
 agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389):
 State: stop_fatal_error - stop_fatal_error
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
 agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389):
 State: stop_fatal_error - stop_fatal_error
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
 ruv_add_csn_inprogress: successfully inserted csn
 504d01f80011 into pending list
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state
 information from entry
 uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN
 504d42c50004
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
 program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
 database
 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
 program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
 database
 /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv:
 successfully committed csn 504d01f80011
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
 agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389):
 State: stop_fatal_error - stop_fatal_error
 [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
 agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389):
 State: stop_fatal_error - stop_fatal_error
 =

 Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?




 regards

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-20 Thread Steven Jones
Hi,

I have imported users, but there are 5700 of them but I only have 2000 which 
corresponds to the view that AD gives you by default.  This makes me think that 
that limit is all the AD is allowing the query to see?

Is there a way to expand it?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 21 September 2012 8:44 a.m.
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

I have hundreds of disable users in IPA now transferred from AD, is there a 
quick/clean way to purge them from IPA?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-20 Thread Steven Jones
uhI just deleted the ad user templates but it puts them back, also the 
disabled users are in a sub-container and when I delete them in IPA they 
re-appear a few minutes later..

:(




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Friday, 21 September 2012 8:56 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 04:54 PM, Dmitri Pal wrote:
On 09/20/2012 04:43 PM, Steven Jones wrote:
Some comments on the win sync agreement syntax.

Hi,

I'd like that command ipa-replica-manage connect  improved if possible,

1) A flag on --win-subtree not to include sub-directories under the specified 
OU= as I think it is why Ive picked up lots of disabled users and templates. 
Also the capability to specify more than one OU as I at least have 2 OU= with 
users in (maybe it can do that I just dont see it)

2) A flag something like --exclude='LDAP criteria/attribute'=disabled such that 
any disabled users in AD are not transferred, I just transferred 7 years of 
ex-users and 200+ templates I would rather not havenow I think I have a 
huge cleanup task.  Not just exclude, say location, so if I only want to sync 
users in one city (say) --include-only=LDAP Location'=Wellington

Not sure if these are hugely useful but they would have helped me.

Thank you for the feedback.
Would you mind filing BZs or trac tickets?

NM. Rich bit me.






regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz]
Sent: Thursday, 20 September 2012 2:48 p.m.
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

it isnt,

Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except 
Im also getting some rubbish so its looking like the import script/query to 
AD isnt right.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz]
Sent: Thursday, 20 September 2012 12:15 p.m.
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are 
the same thing?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Thursday, 20 September 2012 11:03 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/19/2012 04:55 PM, Steven Jones wrote:
Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389): State: 
stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389): State: 
stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: 
successfully inserted csn 504d01f80011 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information 
from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to 
CSN 504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-20 Thread Steven Jones
disabled may not be logical as then once a user becomes disabled in AD, IPA 
will remove it rather than act and disable it.

The way I read this winsync is its running the same command as I did initially 
by hand every 5mins...



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, 21 September 2012 8:53 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 02:43 PM, Steven Jones wrote:
Some comments on the win sync agreement syntax.

Hi,

I'd like that command ipa-replica-manage connect  improved if possible,

1) A flag on --win-subtree not to include sub-directories under the specified 
OU= as I think it is why Ive picked up lots of disabled users and templates. 
Also the capability to specify more than one OU as I at least have 2 OU= with 
users in (maybe it can do that I just dont see it)
https://fedorahosted.org/389/ticket/460

2) A flag something like --exclude='LDAP criteria/attribute'=disabled such that 
any disabled users in AD are not transferred, I just transferred 7 years of 
ex-users and 200+ templates I would rather not havenow I think I have a 
huge cleanup task.  Not just exclude, say location, so if I only want to sync 
users in one city (say) --include-only=LDAP Location'=Wellington
https://fedorahosted.org/389/ticket/460

Not sure if these are hugely useful but they would have helped me.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz]
Sent: Thursday, 20 September 2012 2:48 p.m.
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

it isnt,

Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except 
Im also getting some rubbish so its looking like the import script/query to 
AD isnt right.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz]
Sent: Thursday, 20 September 2012 12:15 p.m.
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are 
the same thing?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Thursday, 20 September 2012 11:03 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/19/2012 04:55 PM, Steven Jones wrote:
Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389): State: 
stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389): State: 
stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: 
successfully inserted csn 504d01f80011 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information 
from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to 
CSN 504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-20 Thread Rich Megginson

On 09/20/2012 03:52 PM, Steven Jones wrote:

Hi,

I have imported users, but there are 5700 of them but I only have 2000 
which corresponds to the view that AD gives you by default.  This 
makes me think that that limit is all the AD is allowing the query to see?


You can use https://github.com/richm/scripts/blob/master/dirsyncctrl.py 
to test what winsync sees when it searches.


Is there a way to expand it?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on behalf of Steven Jones 
[steven.jo...@vuw.ac.nz]

*Sent:* Friday, 21 September 2012 8:44 a.m.
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

I have hundreds of disable users in IPA now transferred from AD, is 
there a quick/clean way to purge them from IPA?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-20 Thread Steven Jones
Hi,

It seems IPA has some sort of limit of searching it will only show the first 2k 
of user entries?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, 21 September 2012 11:38 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 03:52 PM, Steven Jones wrote:
Hi,

I have imported users, but there are 5700 of them but I only have 2000 which 
corresponds to the view that AD gives you by default.  This makes me think that 
that limit is all the AD is allowing the query to see?

You can use https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test 
what winsync sees when it searches.

Is there a way to expand it?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz]
Sent: Friday, 21 September 2012 8:44 a.m.
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

I have hundreds of disable users in IPA now transferred from AD, is there a 
quick/clean way to purge them from IPA?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272




___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-19 Thread Rich Megginson

On 09/19/2012 04:55 PM, Steven Jones wrote:

Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program 
- _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program 
- _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389): 
State: stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389): 
State: stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
ruv_add_csn_inprogress: successfully inserted csn 504d01f80011 
into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state 
information from entry 
uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 
504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program 
- _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program 
- _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f80011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389): 
State: stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389): 
State: stop_fatal_error - stop_fatal_error

=


Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?





regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Wednesday, 19 September 2012 12:32 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 07:10 PM, Steven Jones wrote:

Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree 
cn=VUW_Staff,dc= etc






This I dont understand

I have the -v already, anyway to make it very verbose?


http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level  8192
I'd like to see the directory server errors log 
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under 
the --win-subtree cn=VUW_Staff,dc= etc




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Tuesday, 18 September 2012 12:47 p.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:

Hi,

The first time missed the --win-subtree settings so I wiped the 
admins in the IPA admin group and users as they were not in cn=users 
as per the bug.  The second time as far as I can tell I specified 
the correct cn via win-subtree flag but I still appear to have lost 
the users in IPA.now I expected to lose the admins but the loss 
of users as well confounds me.


I did a ldapsearch as per checking and its seems to be saying the 
right folder/ou/cn but IPA is empty.


Hence I was wondering if there was a log recording what the update 
was doing so I could try and figure out the mistake.  Ive tried 
greping cant find any indication.


I will re-try with -v, verbose.


It is not clear from the manuals, but no matter what -win-subtree you 
specify, winsync will search AD starting from the dc=domain suffix.  
So, for example, if you have

cn=mystaff,cn=staff,dc=example,dc=com
and you specify
--win-subtree cn=mystaff,cn=staff,dc=example,dc=com
winsync will still search starting from dc=example,dc=com and will 
hit ticket/355 if there are any users outside of 
cn=mystaff,cn=staff,dc=example,dc=com that have the same username as 
a user in IPA.




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-19 Thread Steven Jones
Hi,

No that is the replication agreement, Ive turned that server off so it doesnt 
also get wiped.

I am running with a log error level 8192 right now for a full errrors output...



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 20 September 2012 11:03 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/19/2012 04:55 PM, Steven Jones wrote:
Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389): State: 
stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389): State: 
stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: 
successfully inserted csn 504d01f80011 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information 
from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to 
CSN 504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f80011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389): State: 
stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389): State: 
stop_fatal_error - stop_fatal_error
=

Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?





regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Wednesday, 19 September 2012 12:32 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 07:10 PM, Steven Jones wrote:
Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc




This I dont understand

I have the -v already, anyway to make it very verbose?

http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level  8192
I'd like to see the directory server errors log 
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the 
--win-subtree cn=VUW_Staff,dc= etc



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, 18 September 2012 12:47 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:
Hi,

The first time missed the --win-subtree settings so I wiped the admins in the 
IPA admin group and users as they were not in cn=users as per the bug.  The 
second time as far as I can tell I specified the correct cn via win-subtree 
flag but I still appear to have lost the users in IPA.now I expected to 
lose the admins but the loss of users as well confounds me.

I did a ldapsearch as per checking and its seems to be saying the right 
folder/ou/cn but IPA is empty.

Hence I was wondering if there was a log recording what the update was doing so 
I could try and figure out the mistake.  Ive tried greping cant find any 
indication.

I will re-try with -v, verbose.

It is not clear from the manuals, but no matter what -win-subtree you

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-19 Thread Steven Jones
Hi,

I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are 
the same thing?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 20 September 2012 11:03 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/19/2012 04:55 PM, Steven Jones wrote:
Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389): State: 
stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389): State: 
stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: 
successfully inserted csn 504d01f80011 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information 
from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to 
CSN 504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f80011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam002.ods.vuw.ac.nz (vuwunicoipam002:389): State: 
stop_fatal_error - stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt=cn=meTovuwunicoipam003.ods.vuw.ac.nz (vuwunicoipam003:389): State: 
stop_fatal_error - stop_fatal_error
=

Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?





regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Wednesday, 19 September 2012 12:32 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 07:10 PM, Steven Jones wrote:
Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc




This I dont understand

I have the -v already, anyway to make it very verbose?

http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level  8192
I'd like to see the directory server errors log 
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the 
--win-subtree cn=VUW_Staff,dc= etc



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, 18 September 2012 12:47 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:
Hi,

The first time missed the --win-subtree settings so I wiped the admins in the 
IPA admin group and users as they were not in cn=users as per the bug.  The 
second time as far as I can tell I specified the correct cn via win-subtree 
flag but I still appear to have lost the users in IPA.now I expected to 
lose the admins but the loss of users as well confounds me.

I did a ldapsearch as per checking and its seems to be saying the right 
folder/ou/cn but IPA is empty.

Hence I was wondering if there was a log recording what the update was doing so 
I could try and figure out the mistake.  Ive tried greping cant find any 
indication.

I will re-try with -v, verbose.

It is not clear from the manuals, but no matter what -win-subtree you specify, 
winsync will search AD starting from the dc=domain suffix.  So

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-18 Thread Rich Megginson

On 09/17/2012 07:10 PM, Steven Jones wrote:

Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree 
cn=VUW_Staff,dc= etc






This I dont understand

I have the -v already, anyway to make it very verbose?


http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level  8192
I'd like to see the directory server errors log 
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under 
the --win-subtree cn=VUW_Staff,dc= etc




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Tuesday, 18 September 2012 12:47 p.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:

Hi,

The first time missed the --win-subtree settings so I wiped the 
admins in the IPA admin group and users as they were not in cn=users 
as per the bug.  The second time as far as I can tell I specified the 
correct cn via win-subtree flag but I still appear to have lost the 
users in IPA.now I expected to lose the admins but the loss of 
users as well confounds me.


I did a ldapsearch as per checking and its seems to be saying the 
right folder/ou/cn but IPA is empty.


Hence I was wondering if there was a log recording what the update 
was doing so I could try and figure out the mistake.  Ive tried 
greping cant find any indication.


I will re-try with -v, verbose.


It is not clear from the manuals, but no matter what -win-subtree you 
specify, winsync will search AD starting from the dc=domain suffix.  
So, for example, if you have

cn=mystaff,cn=staff,dc=example,dc=com
and you specify
--win-subtree cn=mystaff,cn=staff,dc=example,dc=com
winsync will still search starting from dc=example,dc=com and will hit 
ticket/355 if there are any users outside of 
cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a 
user in IPA.




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Tuesday, 18 September 2012 11:37 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 04:17 PM, Steven Jones wrote:

Hi,

I just tried to do a winsync agreement with specifying the AD point 
as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz  as my users are 
not in the users folder but the VUW_Staff folder (at the same level) 
and it wiped all IPA users that are also in AD.


Yes, this is what happens with https://fedorahosted.org/389/ticket/355
#355 winsync should not delete entry that appears to be out of scope

While doing the actual update does this get verbosly logged anywhere 
as opposed to update in progress dumped to the screen?  Something 
went badly wrong, I just dont know what.


You are seeing something different than #355?



:/

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-17 Thread Rich Megginson

On 09/17/2012 04:17 PM, Steven Jones wrote:

Hi,

I just tried to do a winsync agreement with specifying the AD point as 
cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz  as my users are not 
in the users folder but the VUW_Staff folder (at the same level) and 
it wiped all IPA users that are also in AD.


Yes, this is what happens with https://fedorahosted.org/389/ticket/355
#355 winsync should not delete entry that appears to be out of scope

While doing the actual update does this get verbosly logged anywhere 
as opposed to update in progress dumped to the screen?  Something 
went badly wrong, I just dont know what.


You are seeing something different than #355?



:/

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-17 Thread Steven Jones
Hi,

The first time missed the --win-subtree settings so I wiped the admins in the 
IPA admin group and users as they were not in cn=users as per the bug.  The 
second time as far as I can tell I specified the correct cn via win-subtree 
flag but I still appear to have lost the users in IPA.now I expected to 
lose the admins but the loss of users as well confounds me.

I did a ldapsearch as per checking and its seems to be saying the right 
folder/ou/cn but IPA is empty.

Hence I was wondering if there was a log recording what the update was doing so 
I could try and figure out the mistake.  Ive tried greping cant find any 
indication.

I will re-try with -v, verbose.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 18 September 2012 11:37 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 04:17 PM, Steven Jones wrote:
Hi,

I just tried to do a winsync agreement with specifying the AD point as 
cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz  as my users are not in the 
users folder but the VUW_Staff folder (at the same level) and it wiped all IPA 
users that are also in AD.

Yes, this is what happens with https://fedorahosted.org/389/ticket/355
#355 winsync should not delete entry that appears to be out of scope

While doing the actual update does this get verbosly logged anywhere as opposed 
to update in progress dumped to the screen?  Something went badly wrong, I 
just dont know what.

You are seeing something different than #355?


:/


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272




___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-17 Thread Rich Megginson

On 09/17/2012 06:17 PM, Steven Jones wrote:

Hi,

The first time missed the --win-subtree settings so I wiped the admins 
in the IPA admin group and users as they were not in cn=users as per 
the bug.  The second time as far as I can tell I specified the correct 
cn via win-subtree flag but I still appear to have lost the users in 
IPA.now I expected to lose the admins but the loss of users as 
well confounds me.


I did a ldapsearch as per checking and its seems to be saying the 
right folder/ou/cn but IPA is empty.


Hence I was wondering if there was a log recording what the update was 
doing so I could try and figure out the mistake.  Ive tried greping 
cant find any indication.


I will re-try with -v, verbose.


It is not clear from the manuals, but no matter what -win-subtree you 
specify, winsync will search AD starting from the dc=domain suffix.  So, 
for example, if you have

cn=mystaff,cn=staff,dc=example,dc=com
and you specify
--win-subtree cn=mystaff,cn=staff,dc=example,dc=com
winsync will still search starting from dc=example,dc=com and will hit 
ticket/355 if there are any users outside of 
cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a 
user in IPA.




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Tuesday, 18 September 2012 11:37 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 04:17 PM, Steven Jones wrote:

Hi,

I just tried to do a winsync agreement with specifying the AD point 
as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz  as my users are 
not in the users folder but the VUW_Staff folder (at the same level) 
and it wiped all IPA users that are also in AD.


Yes, this is what happens with https://fedorahosted.org/389/ticket/355
#355 winsync should not delete entry that appears to be out of scope

While doing the actual update does this get verbosly logged anywhere 
as opposed to update in progress dumped to the screen?  Something 
went badly wrong, I just dont know what.


You are seeing something different than #355?



:/

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-17 Thread Steven Jones
Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc

This I dont understand

I have the -v already, anyway to make it very verbose?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 18 September 2012 12:47 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:
Hi,

The first time missed the --win-subtree settings so I wiped the admins in the 
IPA admin group and users as they were not in cn=users as per the bug.  The 
second time as far as I can tell I specified the correct cn via win-subtree 
flag but I still appear to have lost the users in IPA.now I expected to 
lose the admins but the loss of users as well confounds me.

I did a ldapsearch as per checking and its seems to be saying the right 
folder/ou/cn but IPA is empty.

Hence I was wondering if there was a log recording what the update was doing so 
I could try and figure out the mistake.  Ive tried greping cant find any 
indication.

I will re-try with -v, verbose.

It is not clear from the manuals, but no matter what -win-subtree you specify, 
winsync will search AD starting from the dc=domain suffix.  So, for example, if 
you have
cn=mystaff,cn=staff,dc=example,dc=com
and you specify
--win-subtree cn=mystaff,cn=staff,dc=example,dc=com
winsync will still search starting from dc=example,dc=com and will hit 
ticket/355https://fedorahosted.org/389/ticket/355 if there are any users 
outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as 
a user in IPA.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, 18 September 2012 11:37 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 04:17 PM, Steven Jones wrote:
Hi,

I just tried to do a winsync agreement with specifying the AD point as 
cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz  as my users are not in the 
users folder but the VUW_Staff folder (at the same level) and it wiped all IPA 
users that are also in AD.

Yes, this is what happens with https://fedorahosted.org/389/ticket/355
#355 winsync should not delete entry that appears to be out of scope

While doing the actual update does this get verbosly logged anywhere as opposed 
to update in progress dumped to the screen?  Something went badly wrong, I 
just dont know what.

You are seeing something different than #355?


:/


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272




___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users