<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/19/2011 08:49 AM, remy d1 wrote:
<blockquote
cite="mid:AANLkTi=e=_JREYx8oRUbEJwabJPF_+v=6ssCmutc5HUc@mail.gmail.com"
type="cite">Hi,<br>
<br>
I have some problems to synchronize 389-DS with AD<br>
<br>
<br>
I have followed this HowTo : <a moz-do-not-send="true"
href="http://www.linuxmail.info/389-directory-active-directory-ssl-synch/">http://www.linuxmail.info/389-directory-active-directory-ssl-synch/</a><br>
</blockquote>
I didn't read this, but I would suggest starting with this instead:<br>
<a class="moz-txt-link-freetext" href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync</a><br>
<blockquote
cite="mid:AANLkTi=e=_JREYx8oRUbEJwabJPF_+v=6ssCmutc5HUc@mail.gmail.com"
type="cite">
<br>
I have successfully imported cert files in both AD and 389-DS and
can communicate in SSL mode (ldaps). I can login from my 389-DS to
my AD server with 389-console or Apache Directory Studio, but
synchronize does not work.<br>
<br>
Here are the error logs from 389-DS :<br>
[19/Jan/2011:14:37:07 +0100] NSMMReplicationPlugin -
agmt="cn=Synchro ldap" (WINSERVER:636): Unable to parse the
response to the startReplication extended operation. Replication
is aborting.<br>
[19/Jan/2011:14:37:07 +0100] NSMMReplicationPlugin -
agmt="cn=Synchro ldap" (WINSERVER:636): Incremental update failed
and requires administrator action<br>
</blockquote>
Definitely some sort of configuration problem. 389 is attempting to
use the 389 MMR protocol instead of the winsync protocol.<br>
<blockquote
cite="mid:AANLkTi=e=_JREYx8oRUbEJwabJPF_+v=6ssCmutc5HUc@mail.gmail.com"
type="cite"><br>
<br>
If I try an ldapsearch :<br>
/usr/lib64/mozldap/ldapsearch -ZZ -b "dc=mydomain,dc=com" -h
WINSERVER -p 636 -R -D "CN=synchro
ldap,CN=Users,DC=mydomain,DC=com" -w - "objectclass=*"<br>
Enter bind password: <br>
ldap_start_tls_s failed: (Can't contact LDAP server)<br>
ldap_simple_bind: Can't contact LDAP server<br>
TLS/SSL error -5961 (TCP connection reset by peer.)<br>
</blockquote>
1) either use -Z and -p 636, or -ZZ and -p 389 - you cannot use both
-ZZ and -p 636 (i.e. you cannot use startTLS on the LDAPS port since
it is already encrypted)<br>
2) You have to specify -P /etc/dirsrv/slapd-YOURINSTANCE/cert8.db on
the ldapsearch cmd line<br>
<blockquote
cite="mid:AANLkTi=e=_JREYx8oRUbEJwabJPF_+v=6ssCmutc5HUc@mail.gmail.com"
type="cite"><br>
<br>
I have open the ports 88, 389 and 636. Should I open all this
ports ? : <br>
<a moz-do-not-send="true"
href="http://technet.microsoft.com/fr-fr/library/bb967329.aspx">http://technet.microsoft.com/fr-fr/library/bb967329.aspx</a><br>
<br>
<br>
Any idea ?<br>
<br>
-Regards<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>