[389-users] Windows Sync Agreement Help
Albert Teh
teh.albert at gmail.com
Fri Jun 3 15:54:38 UTC 2011
Thanks Rich for your information.
I found this:
[389-users] Sync uidNumber between AD and directory server *Carsten
Grzemba* grzemba
at contac-dt.de
<389-users%40lists.fedoraproject.org?Subject=Re:%20%5B389-users%5D%20Sync%20uidNumber%20between%20AD%20and%20directory%20server&In-Reply-To=%3Cfc30839a27bc.4d8316ac%40contac-dt.de%3E>
*Fri Mar 18 07:24:12 UTC 2011*
- Previous message: [389-users] Sync uidNumber between AD and directory
server
<http://lists.fedoraproject.org/pipermail/389-users/2011-March/012955.html>
- Next message: [389-users] Sync uidNumber between AD and directory
server
<http://lists.fedoraproject.org/pipermail/389-users/2011-March/012960.html>
- *Messages sorted by:* [ date
]<http://lists.fedoraproject.org/pipermail/389-users/2011-March/date.html#12956>
[
thread ]<http://lists.fedoraproject.org/pipermail/389-users/2011-March/thread.html#12956>
[
subject ]<http://lists.fedoraproject.org/pipermail/389-users/2011-March/subject.html#12956>
[
author ]<http://lists.fedoraproject.org/pipermail/389-users/2011-March/author.html#12956>
------------------------------
Hi,
this is possible via a winsync plugin. With such a plugin you can sync
and modify additional attributes.
I have developed a plugin to sync Posix attributes for users and
groups for AD 2008.
If interested, I can make the code available
Regards
Carsten
Hi Carsten,
Could your code available for me? It will be a great code.
Thanks.
Albert
On Fri, Jun 3, 2011 at 11:11 AM, Rich Megginson <rmeggins at redhat.com> wrote:
> On 06/03/2011 09:00 AM, Albert Teh wrote:
>
> *Great News*.
> After talked to the AD Administrator, assigned the user: mailadm as a
> administrator. The Windows Sync is working. Thank you all for the great
> help.
>
> My next step is to get the Password Sync working.
>
> *Need help again:* 1) need to remap the attributes synchronizing from the
> AD to the DS.
> Is there any plugin for this process?
>
> No. But there is a winsync plugin api, if you feel up to writing some C
> code.
>
>
> 2) What password attribute is using on the DS for
> the LDAP client's authencation?
> I do not find the attribute: userPassword
> from the AD to the DS
> after the SYNC.
>
> Right. Passwords are not synced initially. This is because both DS and AD
> do not (by default anyway) store the original clear text password - they
> store a hash of the password which is not reversible. The only way to get
> passwords in sync is to change the password. When the DS receives a clear
> text password, it will send it to AD so that AD can compute whatever hashes
> or encryption keys it needs to with the clear text password.
>
> On the AD side, you must install the PassSync service on every domain
> controller in order to intercept clear text password changes.
>
> I realize this is a pain but
> 1) most organizations have a policy that passwords have to change every 90
> days or so, so the passwords will eventually be in sync - you can always
> force a password change for those users of Windows that need to access Linux
> and vice versa
> 2) Freeipa is working on cross domain trust between AD and Linux so
> hopefully this problem will go away in the near future
>
> Thanks again for all the help.
> Albert
>
>
> On Fri, Jun 3, 2011 at 3:37 AM, <
> 389-users-request at lists.fedoraproject.org> wrote:
>
>> Send 389-users mailing list submissions to
>> 389-users at lists.fedoraproject.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> or, via email, send a message with subject or body 'help' to
>> 389-users-request at lists.fedoraproject.org
>>
>> You can reach the person managing the list at
>> 389-users-owner at lists.fedoraproject.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of 389-users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. ds-admin script/package (Danny Wall)
>> 2. Re: ds-admin script/package (solarflow99)
>> 3. Re: ds-admin script/package (Danny Wall)
>> 4. Re: ds-admin script/package (solarflow99)
>> 5. Re: ds-admin script/package (Danny Wall)
>> 6. Re: ds-admin script/package (Rich Megginson)
>> 7. Re: Windows Sync Agreement Help (Carsten Grzemba)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Thu, 2 Jun 2011 16:40:37 -0400
>> From: Danny Wall <dwall72 at gmail.com>
>> Subject: [389-users] ds-admin script/package
>> To: 389-users at lists.fedoraproject.org
>> Message-ID: <BANLkTi=kzFoCphzp1a1ckniuwumRTUnH-w at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> I am setting up three RHEL 6 servers and am unable to find the packages or
>> scripts to install the admin console. In CentOS 5.5 and the 389 project,
>> the
>> packages are available, and I see references to setup-ds-admin.pl in RHEL
>> 6
>> documentation and in searches. I have the dirsrv package installed and a
>> couple LDAP instances configured, but I have to use generic LDAP browsers
>> for administration and can not configure password policies, etc. that
>> appear
>> to require the admin console or web page.
>>
>> Can anyone point me to the missing link?
>>
>> Thanks
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/c3418661/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Thu, 2 Jun 2011 16:56:52 -0400
>> From: solarflow99 <solarflow99 at gmail.com>
>> Subject: Re: [389-users] ds-admin script/package
>> To: "General discussion list for the 389 Directory server project."
>> <389-users at lists.fedoraproject.org>
>> Message-ID: <BANLkTinV443CJfUCBnXeoQXfeh2uTWAPhw at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> There are several RPM's involved, what repo and yum command did you use?
>>
>>
>> 2011/6/2 Danny Wall <dwall72 at gmail.com>
>>
>> > I am setting up three RHEL 6 servers and am unable to find the packages
>> or
>> > scripts to install the admin console. In CentOS 5.5 and the 389 project,
>> the
>> > packages are available, and I see references to setup-ds-admin.pl in
>> RHEL
>> > 6 documentation and in searches. I have the dirsrv package installed and
>> a
>> > couple LDAP instances configured, but I have to use generic LDAP
>> browsers
>> > for administration and can not configure password policies, etc. that
>> appear
>> > to require the admin console or web page.
>> >
>> > Can anyone point me to the missing link?
>> >
>> > Thanks
>> >
>> >
>> > --
>> > 389 users mailing list
>> > 389-users at lists.fedoraproject.org
>> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/59f5428b/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Thu, 2 Jun 2011 17:01:36 -0400
>> From: Danny Wall <dwall72 at gmail.com>
>> Subject: Re: [389-users] ds-admin script/package
>> To: "General discussion list for the 389 Directory server project."
>> <389-users at lists.fedoraproject.org>
>> Message-ID: <BANLkTimNg3HGJZgvLO6MdRB-LiQBAsfAMw at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> I first tried to the default rhel 6 repo then tried adding the epel 6
>> repo.
>>
>> Thanks
>> On Jun 2, 2011 4:57 PM, "solarflow99" <solarflow99 at gmail.com> wrote:
>> > There are several RPM's involved, what repo and yum command did you use?
>> >
>> >
>> > 2011/6/2 Danny Wall <dwall72 at gmail.com>
>> >
>> >> I am setting up three RHEL 6 servers and am unable to find the packages
>> or
>> >> scripts to install the admin console. In CentOS 5.5 and the 389
>> project,
>> the
>> >> packages are available, and I see references to setup-ds-admin.pl in
>> RHEL
>> >> 6 documentation and in searches. I have the dirsrv package installed
>> and
>> a
>> >> couple LDAP instances configured, but I have to use generic LDAP
>> browsers
>> >> for administration and can not configure password policies, etc. that
>> appear
>> >> to require the admin console or web page.
>> >>
>> >> Can anyone point me to the missing link?
>> >>
>> >> Thanks
>> >>
>> >>
>> >> --
>> >> 389 users mailing list
>> >> 389-users at lists.fedoraproject.org
>> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> >>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/7ac1b8cf/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Thu, 2 Jun 2011 17:11:13 -0400
>> From: solarflow99 <solarflow99 at gmail.com>
>> Subject: Re: [389-users] ds-admin script/package
>> To: "General discussion list for the 389 Directory server project."
>> <389-users at lists.fedoraproject.org>
>> Message-ID: <BANLkTikoc5p3WRQSoJO3toL28-wkzc+anQ at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> good, epel is the one to use. Did you use yum install 389-ds ? that will
>> pull in the whole thing.
>>
>>
>>
>>
>> 2011/6/2 Danny Wall <dwall72 at gmail.com>
>>
>> > I first tried to the default rhel 6 repo then tried adding the epel 6
>> repo.
>> >
>> >
>> > Thanks
>> > On Jun 2, 2011 4:57 PM, "solarflow99" <solarflow99 at gmail.com> wrote:
>> > > There are several RPM's involved, what repo and yum command did you
>> use?
>> > >
>> > >
>> > > 2011/6/2 Danny Wall <dwall72 at gmail.com>
>> > >
>> > >> I am setting up three RHEL 6 servers and am unable to find the
>> packages
>> > or
>> > >> scripts to install the admin console. In CentOS 5.5 and the 389
>> project,
>> > the
>> > >> packages are available, and I see references to setup-ds-admin.pl in
>> > RHEL
>> > >> 6 documentation and in searches. I have the dirsrv package installed
>> and
>> > a
>> > >> couple LDAP instances configured, but I have to use generic LDAP
>> > browsers
>> > >> for administration and can not configure password policies, etc. that
>> > appear
>> > >> to require the admin console or web page.
>> > >>
>> > >> Can anyone point me to the missing link?
>> > >>
>> > >> Thanks
>> > >>
>> > >>
>> > >> --
>> > >> 389 users mailing list
>> > >> 389-users at lists.fedoraproject.org
>> > >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> > >>
>> >
>> > --
>> > 389 users mailing list
>> > 389-users at lists.fedoraproject.org
>> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/d5c1f43a/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 5
>> Date: Thu, 2 Jun 2011 17:14:59 -0400
>> From: Danny Wall <dwall72 at gmail.com>
>> Subject: Re: [389-users] ds-admin script/package
>> To: "General discussion list for the 389 Directory server project."
>> <389-users at lists.fedoraproject.org>
>> Message-ID: <BANLkTin08GVsHrwh6EZV0ZdchXUKcwchsw at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> I may have used 389 base. I will try it later without the base. Thanks
>> On Jun 2, 2011 5:11 PM, "solarflow99" <solarflow99 at gmail.com> wrote:
>> > good, epel is the one to use. Did you use yum install 389-ds ? that will
>> > pull in the whole thing.
>> >
>> >
>> >
>> >
>> > 2011/6/2 Danny Wall <dwall72 at gmail.com>
>> >
>> >> I first tried to the default rhel 6 repo then tried adding the epel 6
>> repo.
>> >>
>> >>
>> >> Thanks
>> >> On Jun 2, 2011 4:57 PM, "solarflow99" <solarflow99 at gmail.com> wrote:
>> >> > There are several RPM's involved, what repo and yum command did you
>> use?
>> >> >
>> >> >
>> >> > 2011/6/2 Danny Wall <dwall72 at gmail.com>
>> >> >
>> >> >> I am setting up three RHEL 6 servers and am unable to find the
>> packages
>> >> or
>> >> >> scripts to install the admin console. In CentOS 5.5 and the 389
>> project,
>> >> the
>> >> >> packages are available, and I see references to setup-ds-admin.plin
>> >> RHEL
>> >> >> 6 documentation and in searches. I have the dirsrv package installed
>> and
>> >> a
>> >> >> couple LDAP instances configured, but I have to use generic LDAP
>> >> browsers
>> >> >> for administration and can not configure password policies, etc.
>> that
>> >> appear
>> >> >> to require the admin console or web page.
>> >> >>
>> >> >> Can anyone point me to the missing link?
>> >> >>
>> >> >> Thanks
>> >> >>
>> >> >>
>> >> >> --
>> >> >> 389 users mailing list
>> >> >> 389-users at lists.fedoraproject.org
>> >> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> >> >>
>> >>
>> >> --
>> >> 389 users mailing list
>> >> 389-users at lists.fedoraproject.org
>> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> >>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/7ab1793d/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 6
>> Date: Thu, 02 Jun 2011 15:18:02 -0600
>> From: Rich Megginson <rmeggins at redhat.com>
>> Subject: Re: [389-users] ds-admin script/package
>> To: "General discussion list for the 389 Directory server project."
>> <389-users at lists.fedoraproject.org>
>> Message-ID: <4DE7FE0A.9020806 at redhat.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> On 06/02/2011 03:14 PM, Danny Wall wrote:
>> >
>> > I may have used 389 base. I will try it later without the base. Thanks
>> >
>> 389-ds-base is in the base RHEL 6.1 OS. None of the other 389 packages
>> such as 389-admin are available yet. I'm in the process of building
>> them now for EPEL6. setup-ds.pl is provided by the 389-ds-base
>> package. setup-ds-admin.pl is provided by the 389-admin package.
>> > On Jun 2, 2011 5:11 PM, "solarflow99" <solarflow99 at gmail.com
>> > <mailto:solarflow99 at gmail.com>> wrote:
>> > > good, epel is the one to use. Did you use yum install 389-ds ? that
>> will
>> > > pull in the whole thing.
>> > >
>> > >
>> > >
>> > >
>> > > 2011/6/2 Danny Wall <dwall72 at gmail.com <mailto:dwall72 at gmail.com>>
>> > >
>> > >> I first tried to the default rhel 6 repo then tried adding the epel
>> > 6 repo.
>> > >>
>> > >>
>> > >> Thanks
>> > >> On Jun 2, 2011 4:57 PM, "solarflow99" <solarflow99 at gmail.com
>> > <mailto:solarflow99 at gmail.com>> wrote:
>> > >> > There are several RPM's involved, what repo and yum command did
>> > you use?
>> > >> >
>> > >> >
>> > >> > 2011/6/2 Danny Wall <dwall72 at gmail.com <mailto:dwall72 at gmail.com>>
>> > >> >
>> > >> >> I am setting up three RHEL 6 servers and am unable to find the
>> > packages
>> > >> or
>> > >> >> scripts to install the admin console. In CentOS 5.5 and the 389
>> > project,
>> > >> the
>> > >> >> packages are available, and I see references to
>> > setup-ds-admin.pl <http://setup-ds-admin.pl> in
>> > >> RHEL
>> > >> >> 6 documentation and in searches. I have the dirsrv package
>> > installed and
>> > >> a
>> > >> >> couple LDAP instances configured, but I have to use generic LDAP
>> > >> browsers
>> > >> >> for administration and can not configure password policies, etc.
>> > that
>> > >> appear
>> > >> >> to require the admin console or web page.
>> > >> >>
>> > >> >> Can anyone point me to the missing link?
>> > >> >>
>> > >> >> Thanks
>> > >> >>
>> > >> >>
>> > >> >> --
>> > >> >> 389 users mailing list
>> > >> >> 389-users at lists.fedoraproject.org
>> > <mailto:389-users at lists.fedoraproject.org>
>> > >> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> > >> >>
>> > >>
>> > >> --
>> > >> 389 users mailing list
>> > >> 389-users at lists.fedoraproject.org
>> > <mailto:389-users at lists.fedoraproject.org>
>> > >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> > >>
>> >
>> >
>> > --
>> > 389 users mailing list
>> > 389-users at lists.fedoraproject.org
>> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/60f0ddb1/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 7
>> Date: Fri, 03 Jun 2011 09:37:08 +0200
>> From: Carsten Grzemba <grzemba at contac-dt.de>
>> Subject: Re: [389-users] Windows Sync Agreement Help
>> To: "General discussion list for the 389 Directory server project."
>> <389-users at lists.fedoraproject.org>
>> Message-ID: <fc54d5723506.4de8ab44 at contac-dt.de>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>>
>>
>> ----- Urspr?ngliche Nachricht -----
>> Von: Rich Megginson <rmeggins at redhat.com>
>> Datum: Mittwoch, 1. Juni 2011, 18:05
>> Betreff: Re: [389-users] Windows Sync Agreement Help
>> An: Albert Teh <teh.albert at gmail.com>
>> Cc: "General discussion list for the 389 Directory server project." <
>> 389-users at lists.fedoraproject.org>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> >
>> On 06/01/2011 09:21 AM, Albert Teh wrote:
>>
>>
>> The user: mailadm should have a full privilege from
>> the AD because we are using this user for SUN's IDSYNC
>> synchronizing/passwdsyc from the AD to the SUN's DS which is our
>> current LDAP environment. We are trying to change SUN's Directory
>> server to the Linux's 389-Directory server.
>>
>>
>> No, its not true in general, Suns Idsync needs only a normal user, if you
>> sync only from AD to DS. The user for Suns Idsync needs only additional
>> privileges for see the 'deleted objects' container for syncing the object
>> deletion. It do not use the dirsync ldap control where you need the
>> Replication/Replicator rights
>>
>> Regards, Carsten
>>
>>
>>
>> >
>> Ok.? I don't know how Sun's IDSYNC works - it is possible it doesn't
>> use the DirSync control which requires Replicator privileges.? Can
>> you confirm that
>> "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" has
>> Replication/Replicator rights in AD/Windows?
>>
>>
>> >
>> >
>> ?
>> >
>> "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>> has Replication/Replicator rights in AD/Windows?
>>
>> >
>> >
>> Thanks.
>> >
>> Albert
>>
>> >
>>
>> > On Wed, Jun 1, 2011 at 10:12 AM, Rich
>> Megginson <rmeggins at redhat.com>
>> wrote:
>>
>>
>>
>>
>> > On 05/31/2011 06:30 PM, Albert Teh wrote:
>>
>>
>> >
>>
>> > On Tue, May 31, 2011 at 2:58
>> PM, Rich Megginson <rmeggins at redhat.com>
>> wrote:
>>
>>
>>
>> > On 05/31/2011 12:49 PM, Albert Teh wrote:
>>
>> > Hi Rich,
>>
>> >
>>
>> > Sorry, What I understand doing the
>> OneWay Sync from the AD to the DS
>>
>> >
>> >
>> Users in the Active Directory domain are
>> synced if it is configured in the sync
>> agreement by selecting the Sync
>> New Windows Users option. All
>> of the Windows users are copied to the
>> Directory Server when synchronization is
>> initiated and then new users are synced over
>> when they are created.
>>
>> >
>> >
>> I do not need to do any AD to DS Group Sync
>>
>> >
>> >
>> and I am not doing any DS sync to the AD.
>>
>>
>> >
>> /usr/lib/mozldap/ldapsearch -x -h
>> wodcstage-1.ottawa.ad.algonquincollege.com
>> -w - -D
>>
>> "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>> -s base -b "" "objectclass=*"
>>
>> >
>> >
>> You should get the contents of the AD
>>
>> >
>> >
>> /usr/lib/mozldap/ldapsearch -x -h
>> wodcstage-1.ottawa.ad.algonquincollege.com
>> -w - -D
>>
>> "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>> -s sub -b
>>
>> "cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>> "objectclass=person"
>>
>> >
>> >
>> you should get the list of users
>>
>>
>>
>> >
>>
>> >
>> >
>> Thanks.
>> >
>> Al
>>
>> >
>>
>> > On Tue, May 31,
>> 2011 at 1:40 PM, Rich Megginson <
>> rmeggins at redhat.com>
>> wrote:
>>
>>
>>
>> > On 05/31/2011 10:30 AM, Albert
>> Teh wrote:
>>
>> >
>> HI Rich,
>>
>> >
>> >
>> [root at algldap ~]#
>> /usr/lib/mozldap/ldapsearch -x
>> -w - -D cn="Directory Manager"
>> -b
>>
>> "ou=People,dc=algonquincollege,dc=com"
>> "(|(objectclass=ntuser)(objectclass=ntgroup))"
>> >
>> Enter bind password:
>> >
>> [root at algldap ~]#
>>
>> >
>> >
>> No Entry found !!!.
>>
>>
>> >
>> You have to tell directory server
>> which entries you want to sync.
>> >
>> See
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
>>
>>
>>
>> >
>> Thanks.
>> >
>> Albert
>>
>> >
>>
>> > On
>> Tue, May 31, 2011 at 11:42
>> AM, Rich Megginson <
>> rmeggins at redhat.com>
>> wrote:
>>
>>
>>
>> > On 05/30/2011
>> 08:32 AM, Albert Teh
>> wrote:
>> > Hi
>> Rich,
>>
>> >
>>
>> > I followed the
>> Guide and still got
>> the same result.
>> Checked with? the AD
>> administrator, the
>> AD's user: mailadm
>> has a full
>> privilege.
>>
>>
>> >
>> /usr/bin/ldapsearch -x
>> -w - -D cn="Directory
>> Manager"-b
>>
>> "ou=People,dc=algonquincollege,dc=com"
>> "(|(objectclass=ntuser)(objectclass=ntgroup))"
>>
>> >
>> >
>> How many entries match
>> that search?
>>
>>
>>
>> >
>> >
>> Thanks.
>> >
>> Albert
>> >
>> ? ?
>> >
>> Here is the
>> Windows Sync
>> Agreement info:
>>
>> >
>> >
>> [root at algldap
>> slapd-algldap]#
>>
>> /usr/lib/mozldap/ldapsearch
>> -w - -D
>> cn="Directory
>> Manager" -b
>> cn=config
>> cn=ADSync
>> >
>> Enter bind
>> password:
>> >
>> version: 1
>> >
>> dn:
>>
>> cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
>> tree,c
>> >
>> ?n=config
>> >
>> objectClass: top
>> >
>> objectClass:
>>
>> nsDSWindowsReplicationAgreement
>> >
>> description: AD
>> Sync Agreement
>> >
>> cn: ADSync
>> >
>>
>> nsds7WindowsReplicaSubtree:
>>
>> cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=co
>> >
>> ?m
>> >
>>
>> nsds7DirectoryReplicaSubtree:
>>
>> ou=People,
>>
>> dc=algonquincollege,dc=com
>> >
>>
>> nsds7NewWinUserSyncEnabled:
>> on
>> >
>>
>> nsds7NewWinGroupSyncEnabled:
>>
>> on
>> >
>> nsds7WindowsDomain:
>>
>> ottawa.ad.algonquincollege.com
>> >
>> nsDS5ReplicaRoot:
>> dc=algonquincollege,dc=com
>> >
>> nsDS5ReplicaHost:
>>
>> wodcstage-1.ottawa.ad.algonquincollege.com
>> >
>> nsDS5ReplicaPort:
>> 389
>> >
>> nsDS5ReplicaBindDN:
>>
>> cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc
>> >
>> ?=com
>> >
>>
>> nsDS5ReplicaBindMethod:
>> SIMPLE
>> >
>>
>> nsDS5ReplicaCredentials:
>>
>> {DES}U68ooQM3C15xjJ/taDmy0A==
>> >
>>
>> nsds5replicareapactive:
>> 0
>> >
>>
>> nsds5replicaLastUpdateStart:
>>
>> 20110530141648Z
>> >
>>
>> nsds5replicaLastUpdateEnd:
>>
>> 20110530141648Z
>> >
>> nsds5replicaChangesSentSinceStartup:
>> >
>>
>> nsds5replicaLastUpdateStatus:
>>
>> 0 Replica acquired
>> successfully:
>> Incremental upd
>> >
>> ?ate succeeded
>> >
>>
>> nsds5replicaUpdateInProgress:
>>
>> FALSE
>> >
>>
>> nsds5replicaLastInitStart:
>>
>> 20110530140648Z
>> >
>>
>> nsds5replicaLastInitEnd:
>>
>> 20110530140648Z
>> >
>>
>> nsds5replicaLastInitStatus:
>> 0 Total update
>> succeeded
>> >
>> [root at algldap
>> slapd-algldap]#
>>
>> >
>>
>> >
>>
>> >
>>
>> > On
>>
>> Fri, May 27,
>> 2011 at 10:57
>> AM, Rich
>> Megginson <
>> rmeggins at redhat.com>
>> wrote:
>>
>>
>>
>> > On
>> 05/27/2011
>> 04:22 AM,
>> Albert Teh
>> wrote:
>> Hi
>> Rich,
>>
>> >
>> >
>> I reinstalled
>> 389-ds-base
>> 1.2.8.3 from
>> EPEL5 and
>> added
>> onewaysync set
>> as fromWindows
>> in the
>> multimaster
>> replication
>> plugin. I
>> still got the
>> same result
>> with no user
>> created in the
>> DS subtree.
>>
>>
>> >
>> Have you read
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
>>
>>
>>
>> >
>> >
>> Errors log:
>>
>> >
>> >
>>
>> [27/May/2011:06:18:26
>>
>> -0400]
>>
>> NSMMReplicationPlugin
>> - Beginning
>> total update
>> of replica
>> "agmt="cn=ADSync"
>> (wodcstage-1:389)".
>> >
>>
>> [27/May/2011:06:18:26
>>
>> -0400]
>>
>> NSMMReplicationPlugin
>> - Finished
>> total update
>> of replica
>> "agmt="cn=ADSync"
>>
>> (wodcstage-1:389)".
>>
>> Sent 0
>> entries.
>>
>> >
>>
>> >
>> >
>> Access log:
>>
>> >
>> >
>>
>> [27/May/2011:06:18:29
>>
>> -0400] conn=1
>> op=114 SRCH
>>
>> base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
>>
>>
>>
>>
>>
>> tree,cn=config"
>>
>> scope=0
>>
>> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>>
>> attrs="nsds5replicaLastUpdateStart
>>
>>
>>
>>
>> nsds5replicaLastUpdateEnd
>>
>>
>>
>> nsds5replicaChangesSentSinceStartup
>>
>>
>>
>> nsds5replicaLastUpdateStatus
>>
>>
>>
>> nsds5replicaUpdateInProgress
>>
>>
>>
>> nsds5replicaLastInitStart
>>
>>
>>
>> nsds5replicaLastInitEnd
>>
>>
>> nsds5replicaLastInitStatus
>> nsds5BeginReplicaRefresh"
>> >
>>
>> [27/May/2011:06:18:29
>>
>> -0400] conn=1
>> op=114 RESULT
>> err=0 tag=101
>> nentries=1
>> etime=
>>
>> >
>> >
>> Thanks for
>> your help.
>>
>> >
>> >
>> Albert
>>
>> >
>>
>> >
>>
>> >
>>
>> > On
>>
>>
>> Thu, May 26,
>> 2011 at 11:13
>> AM, Rich
>> Megginson <
>> rmeggins at redhat.com>
>> wrote:
>>
>>
>>
>> > On
>> 05/26/2011
>> 08:58 AM,
>> Albert Teh
>> wrote:
>> Hi,
>>
>> >
>> >
>> We are setting
>> up a new
>> CENTOS-DS
>> version 8.1.0.
>> and CENTOS 5.5
>> and attempt to
>> synchronize
>> with the
>> existing 2003
>> Windows AD
>> server.
>> >
>> Performing?
>> the full sync
>> completed.
>> There is no
>> user created
>> in the DS
>> subtree.
>>
>> >
>> >
>> We would like
>> to perform one
>> way Sync:? AD
>> ----> DS.
>> Once it works,
>> we will set up
>> the password
>> Sync from the
>> AD to DS.
>>
>>
>> >
>> One way sync
>> isn't
>> supported with
>> 8.1.0.? I
>> suggest using
>> 389-ds-base
>> 1.2.8.3 from
>> EPEL5 which
>> does support
>> one way sync.?
>>
>> http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
>>
>>
>> >
>> >
>> AD:??
>>
>> cn=Users,cn=location,dc=ad,dc=domain,dc=com
>> >
>> DS:??
>>
>> ou=Peoples,dc=domain,dc=com
>>
>> >
>> >
>> errors log:
>>
>> >
>>
>> >
>> >
>>
>> [26/May/2011:10:20:34
>>
>>
>> -0400]
>>
>> NSMMReplicationPlugin
>> - Beginning
>> total update
>> of replica
>> "agmt="cn=ADsync"
>> (wodcstage-1:389)".
>> >
>>
>> [26/May/2011:10:20:34
>>
>>
>> -0400]
>>
>> NSMMReplicationPlugin
>> - Finished
>> total update
>> of replica
>> "agmt="cn=ADsync"
>>
>> (wodcstage-1:389)".
>>
>>
>> Sent 0
>> entries.
>>
>> >
>> >
>> access log:
>>
>> >
>> >
>>
>> 26/May/2011:10:20:37
>>
>>
>> -0400] conn=11
>> op=819 SRCH
>> base="cn=ADsync,
>> cn=replica,
>>
>> cn=\22dc=algonquincollege,
>> dc=com\22,
>> cn=mapping
>> tree,
>> cn=config"
>> scope=0
>>
>> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>>
>> attrs="nsds5replicaLastUpdateStart
>>
>>
>>
>>
>>
>> nsds5replicaLastUpdateEnd
>>
>>
>>
>>
>> nsds5replicaChangesSentSinceStartup
>>
>>
>>
>>
>> nsds5replicaLastUpdateStatus
>>
>>
>>
>>
>> nsds5replicaUpdateInProgress
>>
>>
>>
>>
>> nsds5replicaLastInitStart
>>
>>
>>
>> nsds5replicaLastInitEnd
>> nsds5replicaLastInitStatus
>> nsds5BeginReplicaRefresh"
>> >
>>
>> [26/May/2011:10:20:37
>>
>>
>> -0400] conn=11
>> op=819 RESULT
>> err=0 tag=101
>> nentries=1
>> etime=0
>>
>> >
>>
>> >
>> >
>> Thanks.
>> >
>> Albert
>>
>> >
>>
>> >
>>
>>
>> >
>> > --
>> > 389 users mailing list
>> > 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>>
>>
>>
>> >
>>
>> >
>> >
>> >
>> --
>> >
>> Albert Teh
>> >
>> Email:
>> Teh.Albert at Gmail.com
>>
>>
>> >
>>
>>
>>
>>
>>
>>
>> >
>>
>> >
>> >
>> >
>> --
>> >
>> Albert Teh
>> >
>> Email:
>> Teh.Albert at Gmail.com
>>
>>
>> >
>>
>>
>>
>>
>>
>>
>> >
>>
>> >
>> >
>> >
>> --
>> >
>> Albert Teh
>> >
>> Email: Teh.Albert at Gmail.com
>>
>>
>> >
>>
>>
>>
>>
>>
>>
>> >
>>
>> >
>> >
>> >
>> --
>> >
>> Albert Teh
>> >
>> Email: Teh.Albert at Gmail.com
>>
>>
>> >
>>
>>
>>
>>
>>
>> >
>>
>> >
>> >
>> HI Rich,
>>
>> >
>> >
>> These two commands worked and got the result. I
>> have been gone through? the Windows Sync agreement
>> setup for many times. I could not figure out what
>> went wrong.
>> >
>> Thanks a lot for your help again.
>>
>>
>>
>>
>>
>> >
>> Are you sure that the user
>>
>> "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>> has Replication/Replicator rights in AD/Windows?
>>
>>
>>
>>
>>
>> >
>> >
>> Albert
>> >
>> ?
>>
>>
>> >
>> /usr/lib/mozldap/ldapsearch -x -h
>> wodcstage-1.ottawa.ad.algonquincollege.com
>> -w - -D "cn=mailadm,cn=Users,dc=[root at algldap ~]#
>> /usr/lib/mozldap/ldapsearch -x -h
>> wodcstage-1.ottawa.ad.algonquincollege.com
>> -w - -D
>>
>> "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>> -s base -b ""
>> "objectclass=*"??????????????????????????????????????????
>> Enter bind password:
>> >
>> version: 1
>> >
>> dn:
>> >
>> currentTime: 20110601001342.0Z
>> >
>> subschemaSubentry:
>>
>> CN=Aggregate,CN=Schema,CN=Configuration,DC=ad,DC=algonquinc
>> >
>> ?ollege,DC=com
>> >
>> dsServiceName: CN=NTDS
>> Settings,CN=WODCSTAGE-1,CN=Servers,CN=Default-First-Sit
>> >
>> ?e-Name,CN=Sites,CN=Configuration,DC=ad,DC=algonquincollege,DC=com
>> >
>> namingContexts:
>> CN=Configuration,DC=ad,DC=algonquincollege,DC=com
>> >
>> namingContexts:
>>
>> CN=Schema,CN=Configuration,DC=ad,DC=algonquincollege,DC=com
>> >
>> namingContexts:
>> DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>> >
>> defaultNamingContext:
>> DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>> >
>> schemaNamingContext:
>> CN=Schema,CN=Configuration,DC=ad,DC=algonquincollege,DC=c
>> >
>> ?om
>> >
>> configurationNamingContext:
>> CN=Configuration,DC=ad,DC=algonquincollege,DC=com
>> >
>> rootDomainNamingContext:
>> DC=ad,DC=algonquincollege,DC=com
>> >
>> supportedControl: 1.2.840.113556.1.4.319
>> >
>> supportedControl: 1.2.840.113556.1.4.801
>> >
>> supportedControl: 1.2.840.113556.1.4.473
>> >
>> supportedControl: 1.2.840.113556.1.4.528
>> >
>> supportedControl: 1.2.840.113556.1.4.417
>> >
>> supportedControl: 1.2.840.113556.1.4.619
>> >
>> supportedControl: 1.2.840.113556.1.4.841
>> >
>> supportedControl: 1.2.840.113556.1.4.529
>> >
>> supportedControl: 1.2.840.113556.1.4.805
>> >
>> supportedControl: 1.2.840.113556.1.4.521
>> >
>> supportedControl: 1.2.840.113556.1.4.970
>> >
>> supportedControl: 1.2.840.113556.1.4.1338
>> >
>> supportedControl: 1.2.840.113556.1.4.474
>> >
>> supportedControl: 1.2.840.113556.1.4.1339
>> >
>> supportedControl: 1.2.840.113556.1.4.1340
>> >
>> supportedControl: 1.2.840.113556.1.4.1413
>> >
>> supportedControl: 2.16.840.1.113730.3.4.9
>> >
>> supportedControl: 2.16.840.1.113730.3.4.10
>> >
>> supportedControl: 1.2.840.113556.1.4.1504
>> >
>> supportedControl: 1.2.840.113556.1.4.1852
>> >
>> supportedControl: 1.2.840.113556.1.4.802
>> >
>> supportedControl: 1.2.840.113556.1.4.1907
>> >
>> supportedControl: 1.2.840.113556.1.4.1948
>> >
>> supportedLDAPVersion: 3
>> >
>> supportedLDAPVersion: 2
>> >
>> supportedLDAPPolicies: MaxPoolThreads
>> >
>> supportedLDAPPolicies: MaxDatagramRecv
>> >
>> supportedLDAPPolicies: MaxReceiveBuffer
>> >
>> supportedLDAPPolicies: InitRecvTimeout
>> >
>> supportedLDAPPolicies: MaxConnections
>> >
>> supportedLDAPPolicies: MaxConnIdleTime
>> >
>> supportedLDAPPolicies: MaxPageSize
>> >
>> supportedLDAPPolicies: MaxQueryDuration
>> >
>> supportedLDAPPolicies: MaxTempTableSize
>> >
>> supportedLDAPPolicies: MaxResultSetSize
>> >
>> supportedLDAPPolicies: MaxNotificationPerConn
>> >
>> supportedLDAPPolicies: MaxValRange
>> >
>> highestCommittedUSN: 3103418
>> >
>> supportedSASLMechanisms: GSSAPI
>> >
>> supportedSASLMechanisms: GSS-SPNEGO
>> >
>> supportedSASLMechanisms: EXTERNAL
>> >
>> supportedSASLMechanisms: DIGEST-MD5
>> >
>> dnsHostName: WODCStage-1.ottawa.ad.algonquincollege.com
>> >
>> ldapServiceName:
>> ad.algonquincollege.com:wodcstage-1$@OTTAWA.AD.ALGONQUINCOLLE
>> >
>> ?GE.COM
>> >
>> serverName:
>>
>> CN=WODCSTAGE-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
>> >
>> ?onfiguration,DC=ad,DC=algonquincollege,DC=com
>> >
>> supportedCapabilities: 1.2.840.113556.1.4.800
>> >
>> supportedCapabilities: 1.2.840.113556.1.4.1670
>> >
>> supportedCapabilities: 1.2.840.113556.1.4.1791
>> >
>> isSynchronized: TRUE
>> >
>> isGlobalCatalogReady: TRUE
>> >
>> domainFunctionality: 2
>> >
>> forestFunctionality: 2
>> >
>> domainControllerFunctionality: 2
>> >
>> [root at algldap ~]#
>>
>> >
>> >
>> Partial out:
>>
>> >
>> >
>> [root at algldap ~]# /usr/lib/mozldap/ldapsearch -x -h
>> wodcstage-1.ottawa.ad.algonquincollege.com
>> -w - -D
>>
>> "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>> -s sub -b
>> "cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>> "objectclass=person" | more
>> >
>> Enter bind password:
>> >
>> version: 1
>> >
>> dn:
>>
>> CN=isp-transfer,CN=Users,DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>> >
>> objectClass: top
>> >
>> objectClass: person
>> >
>> objectClass: organizationalPerson
>> >
>> objectClass: user
>> >
>> cn: isp-transfer
>> >
>> description: Transfer for Genesis Data to
>> International Student Program share
>> >
>> givenName: isp-transfer
>> >
>> distinguishedName:
>>
>> CN=isp-transfer,CN=Users,DC=ottawa,DC=ad,DC=algonquincolleg
>> >
>> ?e,DC=com
>> >
>> instanceType: 4
>> >
>> whenCreated: 20040517155823.0Z
>> >
>> whenChanged: 20081016173006.0Z
>> >
>> displayName: isp-transfer
>> >
>> uSNCreated: 255422
>> >
>> memberOf:
>>
>> CN=NAS_Transfer_Genesis_ISP,OU=Groups,DC=ottawa,DC=ad,DC=algonquinco
>> >
>> ?llege,DC=com
>> >
>> uSNChanged: 255422
>> >
>> name: isp-transfer
>> >
>> objectGUID:: EaeRW3KiMUac6hzEs//X/g==
>> >
>> userAccountControl: 66048
>> >
>> badPwdCount: 0
>> >
>> codePage: 0
>> >
>> countryCode: 0
>> >
>> badPasswordTime: 0
>> >
>> lastLogoff: 0
>> >
>> lastLogon: 0
>> >
>> pwdLastSet: 127292831041031250
>> >
>> primaryGroupID: 513
>> >
>> objectSid:: AQUAAAAAAAUVAAAArhyVdhR1dBOOfkA4DN8BAA==
>> >
>> accountExpires: 9223372036854775807
>> >
>> logonCount: 0
>> >
>> sAMAccountName: isp-transfer
>> >
>> sAMAccountType: 805306368
>> >
>> userPrincipalName: isp-transfer at algonquincollege.com
>> >
>> lockoutTime: 0
>> >
>> objectCategory:
>>
>> CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=algonquincollege
>> >
>> ?,DC=com
>> >
>> dSCorePropagationData: 20110131155635.0Z
>> >
>> dSCorePropagationData: 20091227191115.0Z
>> >
>> dSCorePropagationData: 20090127144505.0Z
>> >
>> dSCorePropagationData: 20081201175842.0Z
>> >
>> dSCorePropagationData: 16010714223649.0Z
>> >
>> lastLogonTimestamp: 128686221598537375
>>
>> >
>> >
>> dn:
>>
>> CN=heatweb,CN=Users,DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>> >
>> objectClass: top
>> >
>> objectClass: person
>> >
>> objectClass: organizationalPerson
>> >
>> objectClass: user
>> >
>> cn: heatweb
>> >
>> sn: heatweb
>> >
>> description: Used to communicate between HEAT and IIS
>> >
>> distinguishedName:
>>
>> CN=heatweb,CN=Users,DC=ottawa,DC=ad,DC=algonquincollege,DC=
>> >
>> ?com
>> >
>> instanceType: 4
>> >
>> whenCreated: 20050218192725.0Z
>> >
>> whenChanged: 20081016172611.0Z
>> >
>> displayName: heatweb
>> >
>> uSNCreated: 89976
>> >
>> memberOf: CN=Heat
>>
>> Users,OU=Groups,DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>> >
>> uSNChanged: 89976
>> >
>> name: heatweb
>> >
>> objectGUID:: 07KJaAgkGUapXbQN7VprrQ==
>> >
>> userAccountControl: 66048
>> >
>> badPwdCount: 0
>> >
>> codePage: 0
>> >
>> countryCode: 0
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>> >
>> >
>> --
>> >
>> Albert Teh
>> >
>> Email: Teh.Albert at Gmail.com
>>
>>
>> >
>>
>>
>>
>>
>>
>>
>> >
>>
>> >
>> >
>> >
>> --
>> >
>> Albert Teh
>> >
>> Email: Teh.Albert at Gmail.com
>>
>>
>> >
>>
>>
>>
>> > --
>> > 389 users mailing list
>> > 389-users at lists.fedoraproject.org
>> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: grzemba.vcf
>> Type: text/x-vcard
>> Size: 233 bytes
>> Desc: Card for Carsten Grzemba <grzemba at contac-dt.de>
>> Url :
>> http://lists.fedoraproject.org/pipermail/389-users/attachments/20110603/0a1d0dec/attachment.vcf
>>
>> ------------------------------
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> End of 389-users Digest, Vol 73, Issue 7
>> ****************************************
>>
>
>
>
> --
> Albert Teh
> Email: Teh.Albert at Gmail.com
>
>
> --
> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
--
Albert Teh
Email: Teh.Albert at Gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110603/c9e159b6/attachment.html>
More information about the 389-users
mailing list