#47488 Users from AD sub OU does not sync to IPA
Closed: Fixed None Opened 5 years ago by nhosoi.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 994958

Description of problem:
Sub OU users are not synced when winsync agreement is created with
--win-subtree


Version-Release number of selected component (if applicable):
389-ds-base-1.3.1.5-1.el7.x86_64
ipa-server-3.2.2-1.el7.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Setup AD and IPA server
2. Create an OU and sub OU within the OU on AD
3. Create a user in OU and a user in sub OU
4. Create winsync agreement with the OU using --win-subtree option

Actual results:
Only user from OU is synced to IPA. User from sub OU is not synced

Expected results:
User from Sub OU should also sync to IPA

Additional info:
ipaWinSyncUserFlatten is set

# ipa-winsync, plugins, config
dn: cn=ipa-winsync,cn=plugins,cn=config
ipaWinSyncUserFlatten: true

Logs errors.txt attached

Bug description: When processing a DN from AD, the DN is passed to
a helper function is_subject_of_agreement_remote (windows_protocol_
util.c) to check if the DN is a subject of the sync service or not.
The helper function was checking if the AD DN is just one-level
child of the agreement subtree top (nsds7WindowsReplicaSubtree) but
not the subtree-level descendents. Note: the DN is an original one
in AD, which has not be flattened yet. Therefore, the AD entry was
determined not to be synchronized.

Fix description: This bug was fixed in the master tree with the
ticket #521 - modrdn + NSMMReplicationPlugin - Consumer failed to
replay change.
3) is_subject_of_agreement_remote (windows_protocol_util.c):
When checking if the entry was in the subtree defined in the
agreement or not, it returned true only if the entry is a
direct child of the agreement subtree top. This patch returns
true if the entry is the further descendent of the subtree.
The fix is back ported to 389-ds-base-1.3.1 branch.

Reviewed by Rich (Thank you!!)

Pushed to 389-ds-base-1.3.1 branch:
3e7ee7c..529a544 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit 529a544

Pushed to 389-ds-base-1.2.11 branch:
eed8bcc..26c669d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 26c669d

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.1.7

2 years ago

Login to comment on this ticket.

Metadata