Hi, I am trying to run this and getting search exceeded.
ldapsearch -xLLL -D <winsync_binddn> -w <passwd> -h <AD_host> -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn > ad.dns.txt Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer. :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rich Megginson [rmegg...@redhat.com] Sent: Saturday, 22 September 2012 3:46 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/21/2012 09:18 AM, Dmitri Pal wrote: > On 09/21/2012 11:07 AM, Rich Megginson wrote: >> On 09/21/2012 09:04 AM, Dmitri Pal wrote: >>> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>>> case >>>>> nsslapd-sizelimit. This can be increased either globally or (this >>>>> seems as a >>>>> more secure solution) for a user you bind as: >>>>> >>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>>> >>>>> >>>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>>> users from AD into IPA? If so, then that's a limit on the winsync user >>>> that must be increased in AD. >>>> >>> Rich, it seems that it might make sense to file an RFE for the winsync >>> to support paging control. >> AD supports the paging control? And this allows you to get around the >> search limit? >> > http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx > The default usually 2K BTW. https://fedorahosted.org/389/ticket/472 > >>>>> Martin >>>>> >>>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> It seems IPA has some sort of limit of searching it will only show >>>>>> the first 2k >>>>>> of user entries? >>>>>> >>>>>> regards >>>>>> >>>>>> Steven Jones >>>>>> >>>>>> Technical Specialist - Linux RHCE >>>>>> >>>>>> Victoria University, Wellington, NZ >>>>>> >>>>>> 0064 4 463 6272 >>>>>> >>>>>> ------------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> *From:* Rich Megginson [rmegg...@redhat.com] >>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>>> *To:* Steven Jones >>>>>> *Cc:* freeipa-users@redhat.com >>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>> >>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have imported users, but there are 5700 of them but I only have >>>>>>> 2000 which >>>>>>> corresponds to the view that AD gives you by default. This makes >>>>>>> me think >>>>>>> that that limit is all the AD is allowing the query to see? >>>>>> You can use >>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>>> what winsync sees when it searches. >>>>>>> Is there a way to expand it? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> *From:* freeipa-users-boun...@redhat.com >>>>>>> [freeipa-users-boun...@redhat.com] >>>>>>> on behalf of Steven Jones [steven.jo...@vuw.ac.nz] >>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>>> *Cc:* freeipa-users@redhat.com >>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>> >>>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>>> there a >>>>>>> quick/clean way to purge them from IPA? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users