#47488 Users from AD sub OU does not sync to IPA
Closed: wontfix None Opened 7 years ago by nhosoi.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 994958

Description of problem:
Sub OU users are not synced when winsync agreement is created with
--win-subtree


Version-Release number of selected component (if applicable):
389-ds-base-1.3.1.5-1.el7.x86_64
ipa-server-3.2.2-1.el7.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Setup AD and IPA server
2. Create an OU and sub OU within the OU on AD
3. Create a user in OU and a user in sub OU
4. Create winsync agreement with the OU using --win-subtree option

Actual results:
Only user from OU is synced to IPA. User from sub OU is not synced

Expected results:
User from Sub OU should also sync to IPA

Additional info:
ipaWinSyncUserFlatten is set

# ipa-winsync, plugins, config
dn: cn=ipa-winsync,cn=plugins,cn=config
ipaWinSyncUserFlatten: true

Logs errors.txt attached

Bug description: When processing a DN from AD, the DN is passed to
a helper function is_subject_of_agreement_remote (windows_protocol_
util.c) to check if the DN is a subject of the sync service or not.
The helper function was checking if the AD DN is just one-level
child of the agreement subtree top (nsds7WindowsReplicaSubtree) but
not the subtree-level descendents. Note: the DN is an original one
in AD, which has not be flattened yet. Therefore, the AD entry was
determined not to be synchronized.

Fix description: This bug was fixed in the master tree with the
ticket #521 - modrdn + NSMMReplicationPlugin - Consumer failed to
replay change.
3) is_subject_of_agreement_remote (windows_protocol_util.c):
When checking if the entry was in the subtree defined in the
agreement or not, it returned true only if the entry is a
direct child of the agreement subtree top. This patch returns
true if the entry is the further descendent of the subtree.
The fix is back ported to 389-ds-base-1.3.1 branch.

Reviewed by Rich (Thank you!!)

Pushed to 389-ds-base-1.3.1 branch:
3e7ee7c..529a544 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit 529a544

Pushed to 389-ds-base-1.2.11 branch:
eed8bcc..26c669d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 26c669d

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.1.7

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/825

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

4 months ago

Login to comment on this ticket.

Metadata