<div dir="ltr"><div><div><div>Ok. I have no problem with that, but... Shouldn't it be better behaviour to show this changes in 389DS? At least in the audit log. Because if you are looking for an change date or modifiers DN and you have no logs, how can you get where the change comes from?<br>
<br></div>In my case, I am not the AD admin and I would like to probe that some changes had been made in AD and replicated to 389DS.<br><br></div>Regards,<br></div>Moses.<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
2014-04-15 15:44 GMT+02:00 Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><div class="">
<div>On 04/15/2014 03:23 AM, Moisés Barba
Pérez wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>I think there have been a misunderstood. The
problem isn't the codification.<br>
<br>
</div>
If we change the givenname (for example) in AD then
the replication agreement between 389DS and AD
writes that change in LDAP (It doesn't matter what
type of change, base64 or not), but the 389DS logs
doesn't show that "update" in the attribute.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br></div>
Right. The winsync operations are _internal_ operations. You'll
have to enable access logging of internal operations to see these in
the access log.<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<br>
</div>
Eventually, I look for that change in another server
with multimaster replication and I saw the change. ¿Is
that normal? I mean:<br>
<br>
AD <==========> 389 DS (1) <==========>
389 DS (2)<br>
</div>
make a Recive the
change Recive the change from 389DS(1) <br>
</div>
change but doesn't show
it and show the change in the logs.<br>
</div>
and sends in his logs<br>
</div>
it to 389DS(1) ¿why doesn't it show<br>
</div>
the change?<br>
<div>
<div>
<div>
<div>
<div><br>
</div>
<div>Regards,<br>
Moses<br>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-04-14 18:07 GMT+02:00 Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On 04/14/2014 09:35 AM, Steven Crothers wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The problem is that the sn and givenName attributes
contain the same<br>
data, but the data is now in base64, so it's not human
readable.<br>
</blockquote>
<br>
</div>
Is it base64 encoded in AD, or only in 389?<br>
Have you base64 decoded one of the values to see what it is?<br>
Is it base64 encoded as seen by ldapsearch, or is it
actually base64 encoded in the db? Note that in LDAP (but
not necessarily in AD, which violates several LDAP
standards), if there is trailing whitespace in an attribute
value, ldapsearch will base64 encode the value when it
displays it, since the trailing whitespace is not "visible".
<div>
<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I'm not sure how to get around that myself.<br>
Steven Crothers<br>
<a href="mailto:steven.crothers@gmail.com" target="_blank">steven.crothers@gmail.com</a><br>
<br>
<br>
On Mon, Apr 14, 2014 at 9:58 AM, Rich Megginson <<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 04/14/2014 02:49 AM, Moisés Barba Pérez wrote:<br>
<br>
Hello,<br>
<br>
Unfortunately in our organization we have a
replication agreement between<br>
389 DS and an Active Directory.<br>
<br>
For some reason, some Active Directory admin has
run a script which has<br>
change the "givenname" and "sn" attrs (now they are
in base64) and that<br>
change have been replicated to the 389 DS (1).<br>
<br>
The issue is: This changes coming from
replication aren't shown in the<br>
server logs with the AD agreement, I saw them in the
access file and audit<br>
file but from another 389 DS (2) server with
multimaster replication<br>
agreement not in the server with the AD agreement
¿Is this normal? We are<br>
using 1.2.5 version.<br>
<br>
<br>
I don't understand what the problem is. Can you be
more specific?<br>
<br>
<br>
AD <=====> 389 DS (1) <=====> 389 DS
(2)<br>
<br>
Regards,<br>
Moses.<br>
<br>
<br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
<br>
<br>
<br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote>
<br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</div></div></div>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br></div>