Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/355 see https://fedorahosted.org/freeipa/ticket/2688 for the gory details Instead of deleting, I think we should just log a warning like "Could not sync the AD entry %s with the DS entry %s, even though they have the same user id (or group id) %s, because the AD entry is out of scope %s of the windows sync agreement" deleting perfectly good users is bad
This is not a regression - removing Regression keyword
r6908 | rmeggins | 2012-08-29 17:56:11 -0600 (Wed, 29 Aug 2012) | 7 lines Resolves: bug 818762 winsync should not delete entry that appears to be out of scope Resolves: bug 847868 [RFE] support posix schema for user and group sync The tests have been enhanced to cover more posix attribute checking. Added tests for ticket 355/bug 818762 The tests by default will ignore errors caused by tickets 415 and 428
*** Bug 839812 has been marked as a duplicate of this bug. ***
Verification steps: 1. Create DS user, verify sync to AD $ AddNDSUsr dstestusr adding new entry uid=dstestusr,ou=people,dc=brq,dc=redhat,dc=com $ ChkNADUsr dstestusr ; echo $? 0 2. Create AD user, verify sync to DS $ AddNADUsr adtestusr adding new entry CN=adtestusr,cn=Users,dc=brq,dc=redhat,dc=com $ ChkNDSUsr adtestusr ; echo $? 0 3. Move AD user out of scope of synchronization agreement, entry on DS should not be deleted. $ ldapsearch -h windir -p 389 -D "cn=administrator,cn=users,dc=brq,dc=redhat,dc=com" -w Secret123 -b "dc=brq,dc=redhat,dc=com" cn=adtestusr dn dn: CN=adtestusr,OU=BadUsers,DC=brq,DC=redhat,DC=com $ ChkNDSUsr adtestusr ; echo $? 0 4. Remove AD user. Synchronized user on DS should be deleted as well $ ldapdelete -h windir -p 389 -D "cn=administrator,cn=users,dc=brq,dc=redhat,dc=com" -W CN=adtestusr,OU=BadUsers,DC=brq,DC=redhat,DC=com $ echo $? 0 $ ChkNDSUsr adtestusr ; echo $? ldap_search: No such object ldap_search: matched: ou=people,dc=brq,dc=redhat,dc=com 1 adtestusr entry is deleted. The bug is verified. 389-ds-base-1.2.11.15-3.el6.i686
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0503.html
*** Bug 824073 has been marked as a duplicate of this bug. ***