Ticket #47488 - Users from AD sub OU does not sync to IPA
Bug description: When processing a DN from AD, the DN is passed to
a helper function is_subject_of_agreement_remote (windows_protocol_
util.c) to check if the DN is a subject of the sync service or not.
The helper function was checking if the AD DN is just one-level
child of the agreement subtree top (nsds7WindowsReplicaSubtree) but
not the subtree-level descendents. Note: the DN is an original one
in AD, which has not be flattened yet. Therefore, the AD entry was
determined not to be synchronized.
Fix description: This bug was fixed in the master tree with the
ticket #521 - modrdn + NSMMReplicationPlugin - Consumer failed to
replay change.
3) is_subject_of_agreement_remote (windows_protocol_util.c):
When checking if the entry was in the subtree defined in the
agreement or not, it returned true only if the entry is a
direct child of the agreement subtree top. This patch returns
true if the entry is the further descendent of the subtree.
The fix is back ported to 389-ds-base-1.3.1 branch.
Reviewed by Rich (Thank you!!)
https://fedorahosted.org/389/ticket/47488
(cherry picked from commit 529a544a2fe9961d9286e191346fb5faca27d38b)
(cherry picked from commit 26c669dcad15f9dbbfdff6fbeffac579099b7718)