Ticket #355 - winsync should not delete entry that appears to be out of scope
https://fedorahosted.org/389/ticket/355
Resolves: Ticket #355
Bug Description: winsync should not delete entry that appears to be out of scope
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: There is a new winsync config attribute - winSyncMoveAction -
this is the action to take on the DS side when the winsync finds an AD entry
that has the same name/uid as a DS entry but the AD entry is out of the scope
of the sync agreement (winsync has to search out of scope/subtree on AD to
support deleted and moved entries). In earlier versions of DS, these entries
were ignored. When DS was changed to support entry move/subtree rename, the
winsync code was changed to delete entries moved out of scope. The new
winSyncMoveAction has 3 values:
none - ignore moved entries (like older versions of DS)
delete - delete DS entries when the AD entry moves out of scope - like current
versions of DS
unsync - new behavior - if the DS entry is currently synced with the AD entry
this will cause the DS entry to be "unlinked" from the AD entry so
that they will no longer be in sync
The default value is "none" because we should not unexpectedly delete DS
entries (principle of least astonishment).
Another problem with winsync is that it allowed you to change the subtree and
domain in the middle of a sync update - this can lead to a great deal of
confusion if suddenly many entries are out of scope. The fix is to "save"
the changes in the entry, and apply those changes when the update is
complete.
Platforms tested: RHEL6 x86_64
Flag Day: yes - new attribute, schema
Doc impact: yes - new attribute, schema
(cherry picked from commit 3206571b8ac8308482c20c3866f407079479b8e6)