-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Winsync OneWay fromWindows not replicate deletion #5052
Comments
Bug Description: When a custom filter was provided, entries which were deleted in AD did not have that event correctly reflected in 389-ds. This was due to the behaviour that when an entry in AD is deleted, it is marked with a "deleted" flag which the objectClass=* filter would (accidentally) collect when it did a search. However, a custom user filter being specified would in some cases (such as a memberOf filter) NOT show up the deletion since the entry was considered to have moved out of scope rather than being a full delete. Fix Description: In the case that we have a userfilter, we wrap it in an OR condition that always requests isDeleted flags so that we can correctly reflect the delete status. fixes: 389ds#5052 Author: William Brown <william@blackhats.net.au> Review by: ???
@rainolf I have resolved the issue in #5052, but in general I think you will encounter a lot of problems trying to use the MemberOf filter like this, since we can not accurately determine an entry needing to be deleted due to removal from a group. Consider the situation we have user X and group Y, which X is memberOf. When you remove X from Y, the memberOf will no longer show, but the entry for user X is not now in the isDeleted state, meaning it will persist on the 389-ds side. This is a limitation of the AD sync state that we consume, so we can not easily or effectively work around it. |
Sure, i agree with you but how we can have more control on this? |
Well currently the ability to sync these via a single group membership works, so that's fine. It's un-syncing when you remove them from that group that's the problem. I think that may be a seperate bug ... |
@tbordaz @rainolf welcome back to the new year! I've been investigating this today to see if we could finish it off, and what I have learnt is ... well, I think that we need to actually remove win-filter as a feature. There are a large number of race conditions in the application of the filter to windows in the way that we currently apply it. An example, is if we have a
And that's just one example! It appears that if we send any filter to winsync, regardless of the So as a result, I think that filtering in this manner is actually fundamentally broken, there are too many edge cases that can occur, and you are likely (if not guaranteed) to end up with inconsistent data in your 389-ds system. The only way to guarantee your dataset is complete is to set the basedn to the root of the AD environment LDAP, and to have no win-filter applied. The only other option we have is to only apply filters on the client side of 389-ds when we receive entries, rather than applying them to the winsync search, but that has a lot of potential for other issues. IMO there is no easy fix here .... :( |
Bug Description: When a custom filter was provided, entries which were deleted in AD did not have that event correctly reflected in 389-ds. This was due to the behaviour that when an entry in AD is deleted, it is marked with a "deleted" flag which the objectClass=* filter would (accidentally) collect when it did a search. However, a custom user filter being specified would in some cases (such as a memberOf filter) NOT show up the deletion since the entry was considered to have moved out of scope rather than being a full delete. Fix Description: In the case that we have a userfilter, we wrap it in an OR condition that always requests isDeleted flags so that we can correctly reflect the delete status. fixes: #5052 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @tbordaz
Bug Description: When a custom filter was provided, entries which were deleted in AD did not have that event correctly reflected in 389-ds. This was due to the behaviour that when an entry in AD is deleted, it is marked with a "deleted" flag which the objectClass=* filter would (accidentally) collect when it did a search. However, a custom user filter being specified would in some cases (such as a memberOf filter) NOT show up the deletion since the entry was considered to have moved out of scope rather than being a full delete. Fix Description: In the case that we have a userfilter, we wrap it in an OR condition that always requests isDeleted flags so that we can correctly reflect the delete status. fixes: #5052 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @tbordaz
Bug Description: When a custom filter was provided, entries which were deleted in AD did not have that event correctly reflected in 389-ds. This was due to the behaviour that when an entry in AD is deleted, it is marked with a "deleted" flag which the objectClass=* filter would (accidentally) collect when it did a search. However, a custom user filter being specified would in some cases (such as a memberOf filter) NOT show up the deletion since the entry was considered to have moved out of scope rather than being a full delete. Fix Description: In the case that we have a userfilter, we wrap it in an OR condition that always requests isDeleted flags so that we can correctly reflect the delete status. fixes: #5052 Author: William Brown <william@blackhats.net.au> Review by: @mreynolds389 @tbordaz
Issue Description
After added winSyncWindowsFilter parameter in winsync agreement, the deletion of an entry in AD does not reflect D389
Package Version and Platform:
Steps to Reproduce
Steps to reproduce the behavior:
Expected results
Expected deletion as for winSyncWindowsFilter is not set
The text was updated successfully, but these errors were encountered: