Rob Brown wrote:
yeah, I did find the users in AD under: CN=Deleted Objects,DC=foo,DC=domain,DC=com and, the users actually have the attribute: isDeleted = TRUE so, looks like they were actually deleted (from AD perspective). It seems like the delete sync is two-way (surprising, since create isn't), and this is probably expected, and that IPA simply exposes the deleted users via the GUI in "Preserved Users", whereas AD doesn't. Still, this kinda took me by surprise, lesson learned. Seems I can recover deleted accounts, but going to be a PITA. Looking thru the docs, I don't see any options to disable deletes. It would be nice to have an option similar to how ipaWinSyncAcctDisable works, but for deletes, so we could set it to one-way. I am wondering if setting the oneWaySync parameter on the synchronization agreement to 'fromWindows' would do the trick. Not sure I really want that, though, will have to think it thru.
Re-adding list...
The delete sync isn't two-way since the user wasn't deleted on the IPA side, just moved.
The IPA team isn't devoting much, if any time, these days on winsync, instead focusing on AD trust. Given the complexity of trying to find an equivalent state in AD of kinda-deleted and implementing, test, etc I doubt this is something that will be addressed.
Probably worth documenting as an undesirable side-effect though.
rob
On Thu, Jul 20, 2017 at 11:55 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Rob Brown via FreeIPA-users wrote: > Our company recently implemented freeipa to replace a cent5 kerberos > infrastructure. We set it up with a Winsync agreement with an AD domain, > and is working pretty well. > Our user disposition workflow in AD is this: user account is disabled, > and moved to a "terminated users" OU in AD. The account disable sync was > working fine to IPA, but yesterday I decided to "clean up" the Active > Users list in IPA, by deleting (with --preserve) all the disabled > accounts (there were many). This looked fine from the IPA side: the > accounts got moved into the Preserved users area (in the gui). > However, much to my dismay I later discovered that all of the termed > accounts in AD are gone. WHAT!!!??? > This is bad (for historical/compliance), and came as a shock to me, > because the docs say: "While modifications are bi-directional (going > both from Active Directory to IdM and from IdM to Active Directory), > creating or adding accounts are only uni-directional, from Active > Directory to Identity Management". So WHY ON EARTH would a delete be > bi-directional? I'm suspecting (hoping) that the accounts weren't > actually deleted, that they are just hidden somewhere in AD that I can't > see. PLEASE, if anyone can point me in the right direction here as to > what happened I would appreciate it. As someone mentioned in IRC marking a user as preserved moves them from the user container to cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX. So perhaps AD honored the rename. rob
Well, I certainly don't understand what happened under the covers, but is 100% clear to me that the users got "deleted" in AD while "preserving" them in IPA. I could see an argument where "ipa user-del user --preserve" is technically still a delete (semantics).
I might look at migrating to a trust in the future, but now this is a caveat to live with. I still might explore one-way sync in the meantime, see what that buys us.
On Thu, Jul 20, 2017 at 2:45 PM, Rob Crittenden rcritten@redhat.com wrote:
Rob Brown wrote:
yeah, I did find the users in AD under: CN=Deleted Objects,DC=foo,DC=domain,DC=com and, the users actually have the attribute: isDeleted = TRUE so, looks like they were actually deleted (from AD perspective). It seems like the delete sync is two-way (surprising, since create isn't), and this is probably expected, and that IPA simply exposes the deleted users via the GUI in "Preserved Users", whereas AD doesn't. Still, this kinda took me by surprise, lesson learned. Seems I can recover deleted accounts, but going to be a PITA. Looking thru the docs, I don't see any options to disable deletes. It would be nice to have an option similar to how ipaWinSyncAcctDisable works, but for deletes, so we could set it to one-way. I am wondering if setting the oneWaySync parameter on the synchronization agreement to 'fromWindows' would do the trick. Not sure I really want that, though, will have to think it thru.
Re-adding list...
The delete sync isn't two-way since the user wasn't deleted on the IPA side, just moved.
The IPA team isn't devoting much, if any time, these days on winsync, instead focusing on AD trust. Given the complexity of trying to find an equivalent state in AD of kinda-deleted and implementing, test, etc I doubt this is something that will be addressed.
Probably worth documenting as an undesirable side-effect though.
rob
On Thu, Jul 20, 2017 at 11:55 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Rob Brown via FreeIPA-users wrote: > Our company recently implemented freeipa to replace a cent5
kerberos
> infrastructure. We set it up with a Winsync agreement with an AD domain, > and is working pretty well. > Our user disposition workflow in AD is this: user account is
disabled,
> and moved to a "terminated users" OU in AD. The account disable sync was > working fine to IPA, but yesterday I decided to "clean up" the
Active
> Users list in IPA, by deleting (with --preserve) all the disabled > accounts (there were many). This looked fine from the IPA side: the > accounts got moved into the Preserved users area (in the gui). > However, much to my dismay I later discovered that all of the
termed
> accounts in AD are gone. WHAT!!!??? > This is bad (for historical/compliance), and came as a shock to me, > because the docs say: "While modifications are bi-directional
(going
> both from Active Directory to IdM and from IdM to Active
Directory),
> creating or adding accounts are only uni-directional, from Active > Directory to Identity Management". So WHY ON EARTH would a delete
be
> bi-directional? I'm suspecting (hoping) that the accounts weren't > actually deleted, that they are just hidden somewhere in AD that I can't > see. PLEASE, if anyone can point me in the right direction here as
to
> what happened I would appreciate it. As someone mentioned in IRC marking a user as preserved moves them
from
the user container to cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX. So perhaps AD honored the rename. rob
freeipa-users@lists.fedorahosted.org