Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 994958
Description of problem:
Sub OU users are not synced when winsync agreement is created with
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup AD and IPA server
2. Create an OU and sub OU within the OU on AD
3. Create a user in OU and a user in sub OU
4. Create winsync agreement with the OU using --win-subtree option
Only user from OU is synced to IPA. User from sub OU is not synced
User from Sub OU should also sync to IPA
ipaWinSyncUserFlatten is set
# ipa-winsync, plugins, config
Logs errors.txt attached
Bug description: When processing a DN from AD, the DN is passed to
a helper function is_subject_of_agreement_remote (windows_protocol_
util.c) to check if the DN is a subject of the sync service or not.
The helper function was checking if the AD DN is just one-level
child of the agreement subtree top (nsds7WindowsReplicaSubtree) but
not the subtree-level descendents. Note: the DN is an original one
in AD, which has not be flattened yet. Therefore, the AD entry was
determined not to be synchronized.
Fix description: This bug was fixed in the master tree with the
ticket #521 - modrdn + NSMMReplicationPlugin - Consumer failed to
3) is_subject_of_agreement_remote (windows_protocol_util.c):
When checking if the entry was in the subtree defined in the
agreement or not, it returned true only if the entry is a
direct child of the agreement subtree top. This patch returns
true if the entry is the further descendent of the subtree.
The fix is back ported to 389-ds-base-1.3.1 branch.
Reviewed by Rich (Thank you!!)
Pushed to 389-ds-base-1.3.1 branch:
3e7ee7c..529a544 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
Pushed to 389-ds-base-1.2.11 branch:
eed8bcc..26c669d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 22.214.171.124
to comment on this ticket.