On 09/20/2012 02:43 PM, Steven Jones wrote:
Some comments on the win sync agreement syntax.
Hi,
I'd like that command ipa-replica-manage connect "improved" if possible,
1) A flag on --win-subtree not to include sub-directories under the
specified OU= as I think it is why Ive picked up lots of disabled
users and templates. Also the capability to specify more than one OU
as I at least have 2 OU= with users in (maybe it can do that I just
dont see it)
https://fedorahosted.org/389/ticket/460
2) A flag something like --exclude='LDAP criteria/attribute'=disabled
such that any disabled users in AD are not transferred, I just
transferred 7 years of ex-users and 200+ templates I would rather not
have....now I think I have a huge cleanup task. Not just exclude, say
location, so if I only want to sync users in one city (say)
--include-only="LDAP Location'=Wellington
https://fedorahosted.org/389/ticket/460
Not sure if these are hugely useful but they would have helped me.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
------------------------------------------------------------------------
*From:* freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com] on behalf of Steven Jones
[steven.jo...@vuw.ac.nz]
*Sent:* Thursday, 20 September 2012 2:48 p.m.
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
it isnt,
Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working
except Im also getting some "rubbish" so its looking like the import
script/query to AD isnt right.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
------------------------------------------------------------------------
*From:* freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com] on behalf of Steven Jones
[steven.jo...@vuw.ac.nz]
*Sent:* Thursday, 20 September 2012 12:15 p.m.
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
Hi,
I have -win-subtree cn= etc I take it that cn= is fine and that ou=
and cn= are the same thing?
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Thursday, 20 September 2012 11:03 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
On 09/19/2012 04:55 PM, Steven Jones wrote:
Hi,
Sample of errors log,
=========
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
database
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
database
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv:
successfully committed csn 504d01f7000000110000
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389):
State: stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389):
State: stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
ruv_add_csn_inprogress: successfully inserted csn
504d01f8000000110000 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state
information from entry
uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN
504d42c5000000040000
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
database
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog
program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for
database
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv:
successfully committed csn 504d01f8000000110000
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389):
State: stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389):
State: stop_fatal_error -> stop_fatal_error
=========
Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Wednesday, 19 September 2012 12:32 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
On 09/17/2012 07:10 PM, Steven Jones wrote:
Hi,
I understand that I'll lose users that are cn=Staff_Admins,dc=etc
So the Q is why I am losing users in the --win-subtree
cn=VUW_Staff,dc= etc
This I dont understand....
I have the -v already, anyway to make it very verbose?
http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level 8192
I'd like to see the directory server errors log
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries
under the --win-subtree cn=VUW_Staff,dc= etc
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Tuesday, 18 September 2012 12:47 p.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
On 09/17/2012 06:17 PM, Steven Jones wrote:
Hi,
The first time missed the --win-subtree settings so I wiped the
admins in the IPA admin group and users as they were not in
cn=users as per the bug. The second time as far as I can tell I
specified the correct cn via win-subtree flag but I still appear to
have lost the users in IPA.....now I expected to lose the admins
but the loss of users as well confounds me.
I did a ldapsearch as per checking and its seems to be saying the
right folder/ou/cn but IPA is empty.
Hence I was wondering if there was a log recording what the update
was doing so I could try and figure out the mistake. Ive tried
greping cant find any indication.
I will re-try with -v, verbose.
It is not clear from the manuals, but no matter what -win-subtree
you specify, winsync will search AD starting from the dc=domain
suffix. So, for example, if you have
cn=mystaff,cn=staff,dc=example,dc=com
and you specify
--win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"
winsync will still search starting from dc=example,dc=com and will
hit ticket/355 if there are any users outside of
cn=mystaff,cn=staff,dc=example,dc=com that have the same username as
a user in IPA.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Tuesday, 18 September 2012 11:37 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
On 09/17/2012 04:17 PM, Steven Jones wrote:
Hi,
I just tried to do a winsync agreement with specifying the AD
point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my
users are not in the users folder but the VUW_Staff folder (at the
same level) and it wiped all IPA users that are also in AD.
Yes, this is what happens with https://fedorahosted.org/389/ticket/355
#355 winsync should not delete entry that appears to be out of
scope
While doing the actual update does this get verbosly logged
anywhere as opposed to "update in progress" dumped to the screen?
Something went badly wrong, I just dont know what.
You are seeing something different than #355?
:/
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users