[389-users] AD Sync Fails with: R00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, data 0, vece.

Josh Miller joshua at itsecureadmin.com
Wed Jul 20 02:55:28 UTC 2011

On 7/12/2011 7:33 AM, Rich Megginson wrote:

Hi Rich, thanks for the response.

> On 07/11/2011 09:31 PM, Josh Miller wrote:
>> Using:
>> - 389 DS 8.1
> 8.1???? Platform? rpm -qi 389-ds-base

Name        : centos-ds-base               Relocations: (not relocatable)
Version     : 8.1.0                             Vendor: CentOS
Release     : 0.14.el5.centos.2             Build Date: Thu 14 May 2009 
06:38:31 AM PDT
Install Date: Thu 03 Feb 2011 12:15:02 PM PST      Build Host: 
Group       : System Environment/Daemons    Source RPM: 
Size        : 5117970                          License: GPLv2 with 
Signature   : DSA/SHA1, Tue 26 May 2009 03:33:09 PM PDT, Key ID 
URL         : http://www.centos.org/
Summary     : CentOS Directory Server (base)
Description :
CentOS Directory Server is an LDAPv3 compliant server.  The base package 
the LDAP server and command line utilities for server administration.

>> - AD 2003/2008
>> I am trying to sync from AD (one way) to 389 DS and getting the
>> following error:
>> R00002105: LdapErr: DSID-0C0907C9, comment: Error processing control,
>> data 0, vece.
>> A tcpdump does not appear to reveal anything in the way of errors
> Could you post an excerpt from it?

I've attached the portion of the package capture between the 3-way 
hand-shake between the domain controller and when the directory server 
begins sending it's entries back to the domain controller.

>> and I
>> got the above error from the packet capture.
>> Any idea how to continue troubleshooting or resolve this issue?
>> I can query AD via ldapsearch using the AD credential set that I have
>> configured in the sync agreement.
> 389 uses the AD DirSync Control for reading the list of changes. The
> bind DN you are using to connect to AD must have Replicator rights in
> order to use this control.

I believe this has been done already, although I have no access to the 
domain to verify this other than through LDAP.  I have confirmed this 
with the windows admin twice now to be sure.

>> Thanks,

Thanks a lot,
Josh Miller
Open Source Solutions Architect
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 389-server-packet-cap.txt
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110719/e9c113ee/attachment.txt>

More information about the 389-users mailing list