<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 04/16/2014 01:21 AM, Moisés Barba
Pérez wrote:<br>
</div>
<blockquote
cite="mid:CAOgigOOGZmjuXd=DcAtrWDC7hH=OWnVv+yqOsGnHjAnA6GVO+A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>Ok. I have no problem with that, but... Shouldn't it be
better behaviour to show this changes in 389DS? At least
in the audit log.</div>
</div>
</div>
</div>
</blockquote>
<br>
These changes are not showing up in the audit log? That sounds like
a bug, which may have been fixed after version 1.2.5<br>
<br>
<blockquote
cite="mid:CAOgigOOGZmjuXd=DcAtrWDC7hH=OWnVv+yqOsGnHjAnA6GVO+A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>Because if you are looking for an change date or
modifiers DN and you have no logs, how can you get where
the change comes from?<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
The access log by default logs operations from _external_ clients.
The way winsync works is that it polls AD for changes and writes
them using _internal_ operations. So if having winsync operations
in the access log is critically important to you, and you can
tolerate the noise of all of the additional internal operations,
then you can enable access logging of internal operations. The
reason why we do not enable access logging of internal operations by
default is that it adds a _lot_ of information to the access log,
something that most admins do not want to have to sift through.<br>
<br>
Also, if you are looking for something specific (e.g. debugging),
you can enable the Replication error log level
<a class="moz-txt-link-freetext" href="http://port389.org/wiki/FAQ#Troubleshooting">http://port389.org/wiki/FAQ#Troubleshooting</a><br>
<br>
<blockquote
cite="mid:CAOgigOOGZmjuXd=DcAtrWDC7hH=OWnVv+yqOsGnHjAnA6GVO+A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<br>
</div>
In my case, I am not the AD admin and I would like to probe
that some changes had been made in AD and replicated to
389DS.<br>
</div>
</div>
</div>
</blockquote>
<br>
See above.<br>
<blockquote
cite="mid:CAOgigOOGZmjuXd=DcAtrWDC7hH=OWnVv+yqOsGnHjAnA6GVO+A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
Regards,<br>
</div>
Moses.<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">
2014-04-15 15:44 GMT+02:00 Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="">
<div>On 04/15/2014 03:23 AM, Moisés Barba Pérez wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>I think there have been a
misunderstood. The problem isn't the
codification.<br>
<br>
</div>
If we change the givenname (for example)
in AD then the replication agreement
between 389DS and AD writes that change
in LDAP (It doesn't matter what type of
change, base64 or not), but the 389DS
logs doesn't show that "update" in the
attribute.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
Right. The winsync operations are _internal_ operations.
You'll have to enable access logging of internal
operations to see these in the access log.
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div> <br>
</div>
Eventually, I look for that change in
another server with multimaster
replication and I saw the change. ¿Is
that normal? I mean:<br>
<br>
AD <==========> 389 DS (1)
<==========> 389 DS (2)<br>
</div>
make a Recive the
change Recive the change
from 389DS(1) <br>
</div>
change but doesn't show
it and show the change in the
logs.<br>
</div>
and sends in his logs<br>
</div>
it to 389DS(1) ¿why doesn't it show<br>
</div>
the change?<br>
<div>
<div>
<div>
<div>
<div><br>
</div>
<div>Regards,<br>
Moses<br>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-04-14 18:07
GMT+02:00 Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>On 04/14/2014 09:35 AM, Steven Crothers
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> The problem
is that the sn and givenName attributes
contain the same<br>
data, but the data is now in base64, so
it's not human readable.<br>
</blockquote>
<br>
</div>
Is it base64 encoded in AD, or only in 389?<br>
Have you base64 decoded one of the values to
see what it is?<br>
Is it base64 encoded as seen by ldapsearch, or
is it actually base64 encoded in the db? Note
that in LDAP (but not necessarily in AD, which
violates several LDAP standards), if there is
trailing whitespace in an attribute value,
ldapsearch will base64 encode the value when
it displays it, since the trailing whitespace
is not "visible".
<div>
<div><br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> <br>
I'm not sure how to get around that
myself.<br>
Steven Crothers<br>
<a moz-do-not-send="true"
href="mailto:steven.crothers@gmail.com"
target="_blank">steven.crothers@gmail.com</a><br>
<br>
<br>
On Mon, Apr 14, 2014 at 9:58 AM, Rich
Megginson <<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> On 04/14/2014
02:49 AM, Moisés Barba Pérez wrote:<br>
<br>
Hello,<br>
<br>
Unfortunately in our organization
we have a replication agreement
between<br>
389 DS and an Active Directory.<br>
<br>
For some reason, some Active
Directory admin has run a script which
has<br>
change the "givenname" and "sn" attrs
(now they are in base64) and that<br>
change have been replicated to the 389
DS (1).<br>
<br>
The issue is: This changes coming
from replication aren't shown in the<br>
server logs with the AD agreement, I
saw them in the access file and audit<br>
file but from another 389 DS (2)
server with multimaster replication<br>
agreement not in the server with the
AD agreement ¿Is this normal? We are<br>
using 1.2.5 version.<br>
<br>
<br>
I don't understand what the problem
is. Can you be more specific?<br>
<br>
<br>
AD <=====> 389 DS (1)
<=====> 389 DS (2)<br>
<br>
Regards,<br>
Moses.<br>
<br>
<br>
--<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"
target="_blank">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
<br>
<br>
<br>
--<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"
target="_blank">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote>
--<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"
target="_blank">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote>
<br>
--<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"
target="_blank">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
389 users mailing list
<a moz-do-not-send="true" href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>