Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 994958
Description of problem: Sub OU users are not synced when winsync agreement is created with --win-subtree Version-Release number of selected component (if applicable): 389-ds-base-1.3.1.5-1.el7.x86_64 ipa-server-3.2.2-1.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup AD and IPA server 2. Create an OU and sub OU within the OU on AD 3. Create a user in OU and a user in sub OU 4. Create winsync agreement with the OU using --win-subtree option Actual results: Only user from OU is synced to IPA. User from sub OU is not synced Expected results: User from Sub OU should also sync to IPA Additional info: ipaWinSyncUserFlatten is set # ipa-winsync, plugins, config dn: cn=ipa-winsync,cn=plugins,cn=config ipaWinSyncUserFlatten: true Logs errors.txt attached
Bug description: When processing a DN from AD, the DN is passed to a helper function is_subject_of_agreement_remote (windows_protocol_ util.c) to check if the DN is a subject of the sync service or not. The helper function was checking if the AD DN is just one-level child of the agreement subtree top (nsds7WindowsReplicaSubtree) but not the subtree-level descendents. Note: the DN is an original one in AD, which has not be flattened yet. Therefore, the AD entry was determined not to be synchronized.
Fix description: This bug was fixed in the master tree with the ticket #521 - modrdn + NSMMReplicationPlugin - Consumer failed to replay change. 3) is_subject_of_agreement_remote (windows_protocol_util.c): When checking if the entry was in the subtree defined in the agreement or not, it returned true only if the entry is a direct child of the agreement subtree top. This patch returns true if the entry is the further descendent of the subtree. The fix is back ported to 389-ds-base-1.3.1 branch.
attachment 0001-Ticket-47488-Users-from-AD-sub-OU-does-not-sync-to-I.patch
Reviewed by Rich (Thank you!!)
Pushed to 389-ds-base-1.3.1 branch: 3e7ee7c..529a544 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 commit 529a544
Pushed to 389-ds-base-1.2.11 branch: eed8bcc..26c669d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit 26c669d
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.3.1.7
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/825
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.