Red Hat Bugzilla – Bug 187109
Several problems with the Windows Sync docs
Last modified: 2015-01-04 18:19:53 EST
These issues were raised by a reviewer (www.winlinanswers.com) #1: DOCS SAY: The user specified in the Password Sync and NT4 LDAP Services should be a special user that has write access to entries and passwords but, for security reasons, should not be Directory Manager. Also, this user should not be under the synchronized subtree. For information on creating a special sync ID, see "Creating the Supplier Bind DN Entry," on page 318. I click on the link (http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1108815) and it tells me how to create an account, but it provides no information on how to configure the RIGHTS on this account to allow LDAP write access. #2: DOCS SAY To create a synchronization agreement: 1. In the Directory Server Console, select the Configuration tab. 2. In the left-hand navigation tree, right-click on the suffix to sync, and select New Synchronization Agreement. You can also highlight the suffix, and select Menu>Object>New Synchronization Agreement. Actually... this is {ROOT} | Replication | userRoot -- not "the suffix you want to sync". PS: This is a doc bug... it's "New Windows Sync Agreement" (and not "New Synchronization Agreement) Anyway.. NetscapeRoot and userroot were the only two branches of the whole tree that had the ability to create a Sync agreement. Clicking on "New Windows Sync Agreement" brings up the requirement to generate a Replica Changelog. These steps are NOT in the documentation at all, and, again, not being an expert here, I have really no idea what to put in. (PS: Another bug here is that the popup says "To configure the database, select the 'Enable Replication' checkbox..." but the actual checkbox is called "Enable Replica".) Once on the "Replica Settings" page.. I'm completely lost. "Dedicated consumer" is selected by default.. but I don't think that's correct. As I want to sync cn=top,dc=corp,dc=com (FDS) and cn=top,dc=demo,dc=com (AD) both ways. I *THINK* the proper procedure MIGHT BE to: -First to to the "Replication" node and "Enable Changelog" and select "Use default" settings and click Save. -Then right-click over userRoot and select "New Windows Sync". Specify "Single Master". Click Save. -Re-right-click over userRoot and select "New Windows Sync" and start the Windows Sync agreement wizard. #3: The "Windows Sync Server Info" page graphic here: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859334 in the "ConnectioN" field has "Bind as" with information about the FDS server. Whaaa? Why? The doc line item says: "Fill in the authentication information in the "Bind as..." and "Password" fields with the sync manager information." I don't think this is is desired. Don't you mean the WINDOWS domain admin user we created in Step 5 "Step 5: Select or Create the Sync Identity" ?? If I'm wrong, and I really AM supposed to put in the "search" account a created for FDS -- what would the point be in telling FDS about an FDS account at this state? Doesn't the connection on the FDS side need to know about AD credentials?? Regardless... either way does not start the sync. I get "LDAP error: Invalid credentials: Error code: 49"... which is likely easily cleared up once I understand the rest of the pieces.
Reassigning to IdM project manager, as I no longer work in Content Services.
Per today's bug council this is target tracked for DS 7.2 for now.
Brian, can you review these and either: - assign them to yourself or bcleary as appropriate, or - resolve them as won't do if they fall inside books or sections that we're not going to update tks David
Adding 'cc ecs-dev-list@redhat.com for tracking
Removing DSDocs as milestone, reassigning to DS8.0
Apparently there are problems with the WinSync section of the Deployment Guide as well (assigned to me). Nathan is going to look at this when he gets back from hols in a couple of weeks. Recommend not touching this until he's been through it.
Removing automation notification
Reassigning from bforte to dlackey.
Created attachment 252241 [details] Rewritten config steps For #1, on the rights for a user: I added a link to the ACLs chapter. For #2, on setting up the sync agreement: I cleaned up the terminology. Also, this person seemed confused about there being more than userRoot/NetscapeRoot available for sync because those are the only defaults; I tried to make it clear that if more suffixes are added, there are more dbs available to sync. For #3: I believe this user has to be on both the DS and DS servers with read/write permission, not just AD. Nathan, is that right? THat's how I wrote it, anyway. The docbot links are http://engineering.redhat.com/docbot/en-US/RedHat_Directory_Server/8.0/html/Administration_Guide/Configuring_Windows_Sync-Step_4_Select_or_Create_the_Sync_Identity.html, http://engineering.redhat.com/docbot/en-US/RedHat_Directory_Server/8.0/html/Administration_Guide/Configuring_Windows_Sync-Enabling-replica.html, and http://engineering.redhat.com/docbot/en-US/RedHat_Directory_Server/8.0/html/Administration_Guide/Configuring_Windows_Sync-Step_5_Create_the_Synchronization_Agreement.html. The text is attached in an OO doc.
Assigning to Nathan for review.
Created attachment 255941 [details] Corrected step 3 Corrected step 3 after IRC with Nathan.
Changing status to modified.
CLosing review bugs and content bugs that were fixed in the 8.0 release for the install, admin, and CLI guides.