Bug 1016038 - Users from AD sub OU does not sync to IPA
Summary: Users from AD sub OU does not sync to IPA
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-07 11:28 UTC by Steeve Goveas
Modified: 2015-02-14 14:15 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.2.11.15-28.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 994958
Environment:
Last Closed: 2013-11-21 21:12:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1653 normal SHIPPED_LIVE 389-ds-base bug fix update 2013-11-20 21:53:19 UTC

Comment 4 Steeve Goveas 2013-10-09 12:19:47 UTC
[root@dhcp207-25 ~]# yum intall ipa-server

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                                 Arch                                        Version                                               Repository                                         Size
===================================================================================================================================================================================================================
Installing:
 ipa-server                                              x86_64                                      3.0.0-37.el6                                          ipa-latest                                        1.1 M
Installing for dependencies:
 389-ds-base                                             x86_64                                      1.2.11.15-28.el6                                      errata-15403                                      1.5 M
 ipa-server-selinux                                      x86_64                                      3.0.0-37.el6                                          ipa-latest                                         63 k
 slapi-nis                                               x86_64                                      0.40-4.el6                                            rhel-latest                                       100 k

Transaction Summary
===================================================================================================================================================================================================================
Install       4 Package(s)

Total download size: 2.7 M
Installed size: 9.4 M
Is this ok [y/N]: y

* Listing OU, sub OU and its users

[root@dhcp207-25 ~]# ldapsearch -LLLx -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -b "OU=level1,DC=adrelm,DC=com" dn
dn: OU=level1,DC=adrelm,DC=com

dn: OU=sub-level1,OU=level1,DC=adrelm,DC=com

dn: CN=sub1user2 ads,OU=sub-level1,OU=level1,DC=adrelm,DC=com

dn: CN=sub1user3 ads,OU=sub-level1,OU=level1,DC=adrelm,DC=com

dn: CN=l1user ads,OU=level1,DC=adrelm,DC=com

[root@dhcp207-25 ~]# ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1419000000
  GID: 1419000000
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

[root@dhcp207-25 ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/tmp/tmp.ZtZE5tgbD4/ADcert.cer squab.adrelm.com --binddn "CN=Administrator,CN=Users,DC=adrelm,DC=com" --bindpw Secret123 -v -p Secret123 --win-subtree="OU=level1,DC=adrelm,DC=com"
Added CA certificate /tmp/tmp.ZtZE5tgbD4/ADcert.cer to certificate database for dhcp207-25.testrelm.com
ipa: INFO: AD Suffix is: DC=adrelm,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress
Update succeeded
Connected 'dhcp207-25.testrelm.com' to 'squab.adrelm.com'

* Users from Sub OU synced to IPA

[root@dhcp207-25 ~]# ipa user-find | egrep 'User login|Account disabled|Password'
  User login: admin
  Account disabled: False
  Password: True
  User login: l1user
  Account disabled: False
  Password: False
  User login: sub1user2
  Account disabled: False
  Password: False
  User login: sub1user3
  Account disabled: False
  Password: False

* Reset passwords on AD. OU and sub OU users passwords synced.

[root@dhcp207-25 ~]# ipa user-find | egrep 'User login|Account disabled|Password'
  User login: admin
  Account disabled: False
  Password: True
  User login: l1user
  Account disabled: False
  Password: True
  User login: sub1user2
  Account disabled: False
  Password: True
  User login: sub1user3
  Account disabled: False
  Password: True

* Verified in version 

[root@dhcp207-25 ~]# rpm -q 389-ds-base ipa-server
389-ds-base-1.2.11.15-28.el6.x86_64
ipa-server-3.0.0-37.el6.x86_64

Comment 5 errata-xmlrpc 2013-11-21 21:12:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1653.html


Note You need to log in before you can comment on or make changes to this bug.