Alfred Victor wrote:
Hi Rob,
Thanks for confirming. Is there any way to simply accomplish a sync, or will we need to achieve this by adding/removing groups using ipa commands based on an ldapsearch?
There is no IPA tool to do a sync like this. If you add/remove groups in IPA to achieve it you run the risk of losing changes some IPA admin has made.
What is it you're syncing from?
rob
Paul
On Tue, Oct 6, 2020 at 12:42 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Alfred Victor via FreeIPA-users wrote: > Hi FreeIPA, > > Maybe I've misunderstood how migrate-ds should work, worth mentioning > the source directory is RFC2307 - if ipa migrate-ds migrates a user, > then later that user is added more groups and the same migrate-ds > command is run again, should it not add the user into the corresponding > groups on IPA which did not have its memberUid prior? It isn't a sync tool. If an entry already exists then it is considered migrated and skipped. rob
Syncing from OpenLDAP RFC2307, for now we are ok losing change an IPA admin has made with OpenLDAP being the source of truth until we cut over to IPA. I can accomplish this another way but seems to get tricky if a group is removed on the source system, I have to get it removed at IPA as well.
Alfred
On Tue, Oct 6, 2020 at 2:02 PM Rob Crittenden rcritten@redhat.com wrote:
Alfred Victor wrote:
Hi Rob,
Thanks for confirming. Is there any way to simply accomplish a sync, or will we need to achieve this by adding/removing groups using ipa commands based on an ldapsearch?
There is no IPA tool to do a sync like this. If you add/remove groups in IPA to achieve it you run the risk of losing changes some IPA admin has made.
What is it you're syncing from?
rob
Paul
On Tue, Oct 6, 2020 at 12:42 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Alfred Victor via FreeIPA-users wrote: > Hi FreeIPA, > > Maybe I've misunderstood how migrate-ds should work, worth
mentioning
> the source directory is RFC2307 - if ipa migrate-ds migrates a
user,
> then later that user is added more groups and the same migrate-ds > command is run again, should it not add the user into the corresponding > groups on IPA which did not have its memberUid prior? It isn't a sync tool. If an entry already exists then it is
considered
migrated and skipped. rob
freeipa-users@lists.fedorahosted.org