Syncing from OpenLDAP RFC2307, for now we are ok losing change an IPA admin has made with OpenLDAP being the source of truth until we cut over to IPA. I can accomplish this another way but seems to get tricky if a group is removed on the source system, I have to get it removed at IPA as well.

Alfred

On Tue, Oct 6, 2020 at 2:02 PM Rob Crittenden <rcritten@redhat.com> wrote:
Alfred Victor wrote:
> Hi Rob,
>
> Thanks for confirming. Is there any way to simply accomplish a sync, or
> will we need to achieve this by adding/removing groups using ipa
> commands based on an ldapsearch?

There is no IPA tool to do a sync like this. If you add/remove groups in
IPA to achieve it you run the risk of losing changes some IPA admin has
made.

What is it you're syncing from?

rob

>
> Paul
>
> On Tue, Oct 6, 2020 at 12:42 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
>     Alfred Victor via FreeIPA-users wrote:
>     > Hi FreeIPA,
>     >
>     > Maybe I've misunderstood how migrate-ds should work, worth mentioning
>     > the source directory is RFC2307 - if ipa migrate-ds migrates a user,
>     > then later that user is added more groups and the same migrate-ds
>     > command is run again, should it not add the user into the
>     corresponding
>     > groups on IPA which did not have its memberUid prior? 
>
>     It isn't a sync tool. If an entry already exists then it is considered
>     migrated and skipped.
>
>     rob
>