Bug 187109 - Several problems with the Windows Sync docs
Several problems with the Windows Sync docs
Status: CLOSED CURRENTRELEASE
Product: Red Hat Directory Server
Classification: Red Hat
Component: Doc - administration-guide (Show other bugs)
7.1
All Linux
high Severity medium
: DS8.0
: ---
Assigned To: Deon Ballard
Chandrasekar Kannan
: Documentation
Depends On:
Blocks: 152373 240316
  Show dependency treegraph
 
Reported: 2006-03-28 10:51 EST by Rich Megginson
Modified: 2015-01-04 18:19 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-15 16:51:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Rewritten config steps (9.26 KB, application/vnd.sun.xml.writer)
2007-11-08 17:11 EST, Deon Ballard
no flags Details
Corrected step 3 (9.76 KB, application/vnd.sun.xml.writer)
2007-11-12 17:18 EST, Deon Ballard
no flags Details

  None (edit)
Description Rich Megginson 2006-03-28 10:51:12 EST
These issues were raised by a reviewer (www.winlinanswers.com)

#1: DOCS SAY:
The user specified in the Password Sync and NT4 LDAP Services should be a
special user that has write access to entries and passwords but, for
security reasons, should not be Directory Manager. Also, this user should
not be under the synchronized subtree. For information on creating a special
sync ID, see "Creating the Supplier Bind DN Entry," on page 318.

I click on the link
(http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1108815)
and it tells me how to create an account,
but it provides no information on how
to configure the RIGHTS on this account
to allow LDAP write access.

#2: DOCS SAY
To create a synchronization agreement:

   1. In the Directory Server Console, select the Configuration tab.
   2. In the left-hand navigation tree, right-click on the suffix to sync,
and select New Synchronization Agreement. You can also highlight the suffix,
and select Menu>Object>New Synchronization Agreement.  

Actually... this is {ROOT} | Replication | userRoot
-- not "the suffix you want to sync". PS: This is a doc bug... it's "New
Windows Sync Agreement" (and not "New Synchronization Agreement)

Anyway.. NetscapeRoot and userroot were the only two branches of the whole
tree that had the ability to create a Sync agreement.

Clicking on "New Windows Sync Agreement" brings up the requirement to
generate a Replica Changelog.
These steps are NOT in the documentation at all, and, again, not being an
expert here, I have really no idea what to put in.

(PS: Another bug here is that the popup says "To configure the database,
select the 'Enable Replication' checkbox..." but the actual
checkbox is called "Enable Replica".)

Once on the "Replica Settings" page.. I'm completely lost. "Dedicated
consumer" is selected by default.. but I don't think that's correct. As I
want to sync

cn=top,dc=corp,dc=com (FDS) and cn=top,dc=demo,dc=com (AD)

both ways.

I *THINK* the proper procedure MIGHT BE to:

-First to to the "Replication" node and "Enable Changelog" and select "Use
default" settings and click Save.
-Then right-click over userRoot and select "New Windows Sync". Specify
"Single Master". Click Save.
-Re-right-click over userRoot and select "New Windows Sync" and start the
Windows Sync agreement wizard.

#3: The "Windows Sync Server Info" page
graphic here:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859334
in the "ConnectioN" field
has "Bind as" with information about the FDS
server. Whaaa? Why? The doc line item says:
"Fill in the authentication information in the "Bind as..." and "Password"
fields with the sync manager information."

I don't think this is is desired. Don't you mean
the WINDOWS domain admin user we created in Step 5
"Step 5: Select or Create the Sync Identity" ??


If I'm wrong, and I really AM supposed to put in the "search" account a
created for FDS -- what would the point be in telling FDS about an FDS
account at this state? Doesn't the connection on the FDS side need to know
about AD credentials??

Regardless... either way does not start the sync. I get "LDAP error: Invalid
credentials: Error code: 49"... which is likely easily cleared up once I
understand the rest of the pieces.
Comment 1 Karsten Wade 2006-03-28 10:58:28 EST
Reassigning to IdM project manager, as I no longer work in Content Services.
Comment 2 Orla Hegarty 2006-04-04 11:41:48 EDT
Per today's bug council this is target tracked for DS 7.2 for now.
Comment 3 David O'Brien 2007-04-25 03:32:08 EDT
Brian, can you review these and either:
- assign them to yourself or bcleary as appropriate, or
- resolve them as won't do if they fall inside books or sections that we're not
going to update

tks
David
Comment 4 Michael Hideo 2007-06-06 00:44:29 EDT
Adding 'cc ecs-dev-list@redhat.com for tracking
Comment 5 David O'Brien 2007-07-12 22:44:53 EDT
Removing DSDocs as milestone, reassigning to DS8.0
Comment 6 David O'Brien 2007-07-12 23:02:52 EDT
Apparently there are problems with the WinSync section of the Deployment Guide
as well (assigned to me). Nathan is going to look at this when he gets back from
hols in a couple of weeks. Recommend not touching this until he's been through it.
Comment 8 Michael Hideo 2007-10-22 22:45:28 EDT
Removing automation notification
Comment 9 Deon Ballard 2007-11-05 18:24:16 EST
Reassigning from bforte to dlackey.
Comment 10 Deon Ballard 2007-11-08 17:11:55 EST
Created attachment 252241 [details]
Rewritten config steps

For #1, on the rights for a user: I added a link to the ACLs chapter.
For #2, on setting up the sync agreement: I cleaned up the terminology. Also,
this person seemed confused about there being more than userRoot/NetscapeRoot
available for sync because those are the only defaults; I tried to make it
clear that if more suffixes are added, there are more dbs available to sync.
For #3: I believe this user has to be on both the DS and DS servers with
read/write permission, not just AD. Nathan, is that right? THat's how I wrote
it, anyway.

The docbot links are
http://engineering.redhat.com/docbot/en-US/RedHat_Directory_Server/8.0/html/Administration_Guide/Configuring_Windows_Sync-Step_4_Select_or_Create_the_Sync_Identity.html,
http://engineering.redhat.com/docbot/en-US/RedHat_Directory_Server/8.0/html/Administration_Guide/Configuring_Windows_Sync-Enabling-replica.html,
and
http://engineering.redhat.com/docbot/en-US/RedHat_Directory_Server/8.0/html/Administration_Guide/Configuring_Windows_Sync-Step_5_Create_the_Synchronization_Agreement.html.


The text is attached in an OO doc.
Comment 11 Deon Ballard 2007-11-08 17:12:35 EST
Assigning to Nathan for review.
Comment 12 Deon Ballard 2007-11-12 17:18:19 EST
Created attachment 255941 [details]
Corrected step 3

Corrected step 3 after IRC with Nathan.
Comment 13 Deon Ballard 2007-11-27 18:49:00 EST
Changing status to modified.
Comment 14 Deon Ballard 2008-02-15 16:51:50 EST
CLosing review bugs and content bugs that were fixed in the 8.0 release for the
install, admin, and CLI guides.

Note You need to log in before you can comment on or make changes to this bug.