[389-users] Sync AD with 389-DS Unable to parse response
Rich Megginson
rmeggins at redhat.com
Wed Feb 9 15:46:01 UTC 2011
On 02/09/2011 06:39 AM, remy d1 wrote:
> Hi Rich,
>
> I reinstalled all my server from scratch and reimported all my data
> (with cert files).
>
> If I try to synchronize my data, I can import users from AD to 389-DS
> but I can't do the opposite. My 389 server replica is always in status
> "in progress" with "replica acquired successfully : incremental update
> started", but it can't finish the synchronization job.
Sometimes you have to tell winsync to do a full resync a few times
before it finally works.
>
> I could also continue to launch request to my AD server from my 389-DS
> server (ldapsearch...). I successfully add a user to my AD with Apache
> Directory Studio (installed on my 389-DS server) with the AD
> synchronizing account. So, it's not an access problem.
>
> Moreover I added a schema on my 389-DS for my directory that is not
> present on my AD. Do you think I have to add this schema to AD or is
> the synchronization done only on AD required attributes ?
No. The schema that winsync uses is hard coded in 389 - you cannot
extend it or change it - it should work with AD, no changes to AD should
be required.
>
> Or,
>
> Is it a cert file problem on my AD ?
>
> or ...?
>
> Any idea would be appreciated
>
> Regards-
>
>
> 2011/1/25 Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
>
> On 01/25/2011 01:29 AM, remy d1 wrote:
>> Hi Rich,
>>
>> I tried to raise the log level, but when I did it, I was not able
>> to stop/restart my dirsrv service.
> What log level did you use? What error messages did you see when
> you attempted to stop/restart the service? Anything in the errors
> log?
>
>> To stop it, I must kill the process and remove the pid file. Then
>> I could start it.
>>
>> In my error logs, there is a lot of informations :
>>
>>
>> [root at KingKong ~]# tail /var/log/dirsrv/slapd-KingKong/errors
>> [24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
>> program - cl5GetOperationCount: could not get DB object for replica
>> [24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFile: no DB object found for database
>> /var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
>> [24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
>> program - cl5GetOperationCount: could not get DB object for replica
>> [24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFile: no DB object found for database
>> /var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
>> [24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog
>> program - cl5GetOperationCount: could not get DB object for replica
>> [24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFile: no DB object found for database
>> /var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
>> [24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog
>> program - cl5GetOperationCount: could not get DB object for replica
>> [24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFile: no DB object found for database
>> /var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
>> [24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog
>> program - cl5GetOperationCount: could not get DB object for replica
>> [24/Jan/2011:16:24:18 +0100] NSMMReplicationPlugin - changelog
>> program - cl5ExportLDIF: failed to locate changelog file for
>> replica at (dc=mydomain,dc=com)
>>
>>
>> This problem is very similar to this post :
>> http://www.redhat.com/archives/fedora-directory-commits/2009-March/msg00005.html
>> Although I have the last version of 389-DS.
> Are you sure this is the correct post you wanted to refer to?
> Because this is a patch commit for a fix when moving the changelog
> directory - did you move the changelog directory? Because you did
> not mention it in your earlier post.
>
>>
>> I think I have also some troubleshooting with my hostname because
>> bind is not configured. However, I have choosen to put it my
>> /etc/hosts file
>> [root at KingKong ~]# nl /etc/host.conf
>> 1 multi on
>> 2 order hosts,bind
>> hostname command reply the full "fqdn" if I choose the option
>> --all-fqdn, contrary to the option "--fqdn". The reply is just my
>> hostname without the domain. By the way, if I say
>> #hostname KingKong.mydomain.com <http://KingKong.mydomain.com>
>> Eveything is now good for my hostname but I can not launch my
>> 389-console. I think the adress to connect is not ok... I do not
>> know if this problem is linked to the previous problems...
>>
>> So, I do #hostname KingKong
>> Then, I launch the console again. Now, if I try to initiate a
>> full synchronization, I can see (and I am still stuck on it) the
>> window "please wait while data is being synchronized...", but
>> nothing else... Data are not synchronized and I do not see
>> anything in my Windows event viewer while replica agreement seems
>> to be ok and PassSync service is installed...
> It is very difficult to change your hostname after you have
> configured the admin server and console. I suggest starting over
> from scratch, and first make sure your hostname is correct.
>
> I also suggest using
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync
> to configure Windows Sync.
>
>>
>>
>> Thanks for help,
>>
>> -Regards
>>
>> 2011/1/21 Rich Megginson <rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>>
>>
>>> Date:
>>> Fri, 21 Jan 2011 10:25:56 +0100
>>> To:
>>> "General discussion list for the 389 Directory server
>>> project." <389-users at lists.fedoraproject.org>
>>> <mailto:389-users at lists.fedoraproject.org>
>>>
>>>
>>> Hi Rich,
>>>
>>> Thanks for this usefull link.
>>>
>>> I have successfully initiate replica between Windows AD and
>>> my server 389-DS. Ldapsearch is working. But even if
>>> everything seems to be ok, the update does not work and I do
>>> not see any error in the log files... So, my AD server stay
>>> empty, the accounts are not migrate...
>>>
>>> Here you have my access log file which is more verbose...
>>> (mydomain.com <http://mydomain.com> for the example) :
>> <snip>
>>> Obviously I am connecting to the server 389-DS itself
>>> whereas it can resolve the DNS name of my Windows server...
>>> There is no error in the AD event viewer while I could see
>>> errors on it when it was misconfigured (like DirSync
>>> errors)... So, basically, the Windows server is contacted to
>>> my DS-Server over 2 different networks.
>>>
>>> Do you think I have to open the ports described in my message ?
>>>
>>> -Regards.
>> I don't know. There is no winsync information in the access
>> log. Note that the access log records client accesses to the
>> directory server, and in winsync, the directory server itself
>> acts as a client to AD, so winsync will log nothing in the
>> access log. The errors log could be helpful, and especially
>> using the replication log level (which is also used for
>> winsync logging). The Windows Event Viewer is useless for
>> winsync issues.
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110209/bc826235/attachment.html>
More information about the 389-users
mailing list