[389-users] [389][Active Directory] Replication issue

Moisés Barba Pérez mbarperoi at gmail.com
Tue Apr 15 09:23:52 UTC 2014 

I think there have been a misunderstood. The problem isn't the codification.

If we change the givenname (for example) in AD then the replication
agreement between 389DS and AD writes that change in LDAP (It doesn't
matter what type of change, base64 or not), but the 389DS logs doesn't show
that "update" in the attribute.

Eventually, I look for that change in another server with multimaster
replication and I saw the change. ¿Is that normal? I mean:

AD <==========> 389 DS (1)  <==========> 389 DS (2)
make a                    Recive the change               Recive the change
from 389DS(1)
change                    but doesn't show it                and show the
change in the logs.
and sends                in his logs
it to 389DS(1)           ¿why doesn't it show
                                the change?

Regards,
Moses


2014-04-14 18:07 GMT+02:00 Rich Megginson <rmeggins at redhat.com>:

> On 04/14/2014 09:35 AM, Steven Crothers wrote:
>
>> The problem is that the sn and givenName attributes contain the same
>> data, but the data is now in base64, so it's not human readable.
>>
>
> Is it base64 encoded in AD, or only in 389?
> Have you base64 decoded one of the values to see what it is?
> Is it base64 encoded as seen by ldapsearch, or is it actually base64
> encoded in the db?  Note that in LDAP (but not necessarily in AD, which
> violates several LDAP standards), if there is trailing whitespace in an
> attribute value, ldapsearch will base64 encode the value when it displays
> it, since the trailing whitespace is not "visible".
>
>
>
>> I'm not sure how to get around that myself.
>> Steven Crothers
>> steven.crothers at gmail.com
>>
>>
>> On Mon, Apr 14, 2014 at 9:58 AM, Rich Megginson <rmeggins at redhat.com>
>> wrote:
>>
>>> On 04/14/2014 02:49 AM, Moisés Barba Pérez wrote:
>>>
>>> Hello,
>>>
>>>     Unfortunately in our organization we have a replication agreement
>>> between
>>> 389 DS and an Active Directory.
>>>
>>>     For some reason, some Active Directory admin has run a script which
>>> has
>>> change the "givenname" and "sn" attrs (now they are in base64) and that
>>> change have been replicated to the 389 DS (1).
>>>
>>>     The issue is: This changes coming from replication aren't shown in
>>> the
>>> server logs with the AD agreement, I saw them in the access file and
>>> audit
>>> file but from another 389 DS (2) server with multimaster replication
>>> agreement not in the server with the AD agreement ¿Is this normal? We are
>>> using 1.2.5 version.
>>>
>>>
>>> I don't understand what the problem is.  Can you be more specific?
>>>
>>>
>>>   AD <=====> 389 DS (1)  <=====> 389 DS (2)
>>>
>>> Regards,
>>> Moses.
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20140415/e3a6a526/attachment.html>

More information about the 389-users mailing list