On 09/24/2012 11:49 PM, Steven Jones wrote: > Hi, > > Im confused here, has no one tried to winsync 2000+ users before? > > Are there any docs on working around this limit? > > Ive up'd the user to 20000 but that seems to have had no effect....my AD ppl > dont know of any other way to increase that at present.
According to our gurus: The limit is in AD, which has a sizelimit of 2000 by default. There are two ways around this: 1) Go into AD and set the sizelimit for the sync user to be greater than the number of entries. 2) Have DS winsync use simple paged results - this is a code change on our side and we are tracking it for one of the upcoming releases https://fedorahosted.org/389/ticket/472 > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Steven Jones [[email protected]] > Sent: Tuesday, 25 September 2012 3:17 p.m. > Cc: [email protected] > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > Hi, > > I am trying to run this and getting search exceeded. > > ldapsearch -xLLL -D <winsync_binddn> -w <passwd> -h <AD_host> -s sub -b > OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn > ad.dns.txt > > Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they > also lose their IPA groups which is a bit of a bummer. > > :( > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Rich Megginson [[email protected]] > Sent: Saturday, 22 September 2012 3:46 a.m. > To: [email protected] > Cc: [email protected] > Subject: Re: [Freeipa-users] winsync agreement wipes IPA users > > On 09/21/2012 09:18 AM, Dmitri Pal wrote: >> On 09/21/2012 11:07 AM, Rich Megginson wrote: >>> On 09/21/2012 09:04 AM, Dmitri Pal wrote: >>>> On 09/21/2012 09:23 AM, Rich Megginson wrote: >>>>> On 09/21/2012 05:21 AM, Martin Kosek wrote: >>>>>> When using bare ldapsearch, you are hitting 389-ds limits - in your >>>>>> case >>>>>> nsslapd-sizelimit. This can be increased either globally or (this >>>>>> seems as a >>>>>> more secure solution) for a user you bind as: >>>>>> >>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >>>>>> >>>>>> >>>>> Steven, are you saying that winsync only pulled over 2000 out of 5700 >>>>> users from AD into IPA? If so, then that's a limit on the winsync user >>>>> that must be increased in AD. >>>>> >>>> Rich, it seems that it might make sense to file an RFE for the winsync >>>> to support paging control. >>> AD supports the paging control? And this allows you to get around the >>> search limit? >>> >> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx >> The default usually 2K BTW. > https://fedorahosted.org/389/ticket/472 >>>>>> Martin >>>>>> >>>>>> On 09/21/2012 04:43 AM, Steven Jones wrote: >>>>>>> Hi, >>>>>>> >>>>>>> It seems IPA has some sort of limit of searching it will only show >>>>>>> the first 2k >>>>>>> of user entries? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Steven Jones >>>>>>> >>>>>>> Technical Specialist - Linux RHCE >>>>>>> >>>>>>> Victoria University, Wellington, NZ >>>>>>> >>>>>>> 0064 4 463 6272 >>>>>>> >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> *From:* Rich Megginson [[email protected]] >>>>>>> *Sent:* Friday, 21 September 2012 11:38 a.m. >>>>>>> *To:* Steven Jones >>>>>>> *Cc:* [email protected] >>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>> >>>>>>> On 09/20/2012 03:52 PM, Steven Jones wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have imported users, but there are 5700 of them but I only have >>>>>>>> 2000 which >>>>>>>> corresponds to the view that AD gives you by default. This makes >>>>>>>> me think >>>>>>>> that that limit is all the AD is allowing the query to see? >>>>>>> You can use >>>>>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test >>>>>>> what winsync sees when it searches. >>>>>>>> Is there a way to expand it? >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> Steven Jones >>>>>>>> >>>>>>>> Technical Specialist - Linux RHCE >>>>>>>> >>>>>>>> Victoria University, Wellington, NZ >>>>>>>> >>>>>>>> 0064 4 463 6272 >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> *From:* [email protected] >>>>>>>> [[email protected]] >>>>>>>> on behalf of Steven Jones [[email protected]] >>>>>>>> *Sent:* Friday, 21 September 2012 8:44 a.m. >>>>>>>> *Cc:* [email protected] >>>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users >>>>>>>> >>>>>>>> I have hundreds of disable users in IPA now transferred from AD, is >>>>>>>> there a >>>>>>>> quick/clean way to purge them from IPA? >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> Steven Jones >>>>>>>> >>>>>>>> Technical Specialist - Linux RHCE >>>>>>>> >>>>>>>> Victoria University, Wellington, NZ >>>>>>>> >>>>>>>> 0064 4 463 6272 >>>>>>>> >>>>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> [email protected] >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> [email protected] >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
