[389-users] [389][Active Directory] Replication issue
Rich Megginson
rmeggins at redhat.com
Tue Apr 15 13:44:57 UTC 2014
On 04/15/2014 03:23 AM, Moisés Barba Pérez wrote:
> I think there have been a misunderstood. The problem isn't the
> codification.
>
> If we change the givenname (for example) in AD then the replication
> agreement between 389DS and AD writes that change in LDAP (It doesn't
> matter what type of change, base64 or not), but the 389DS logs doesn't
> show that "update" in the attribute.
Right. The winsync operations are _internal_ operations. You'll have
to enable access logging of internal operations to see these in the
access log.
>
> Eventually, I look for that change in another server with multimaster
> replication and I saw the change. ¿Is that normal? I mean:
>
> AD <==========> 389 DS (1) <==========> 389 DS (2)
> make a Recive the change Recive the
> change from 389DS(1)
> change but doesn't show it and show
> the change in the logs.
> and sends in his logs
> it to 389DS(1) ¿why doesn't it show
> the change?
>
> Regards,
> Moses
>
>
> 2014-04-14 18:07 GMT+02:00 Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>:
>
> On 04/14/2014 09:35 AM, Steven Crothers wrote:
>
> The problem is that the sn and givenName attributes contain
> the same
> data, but the data is now in base64, so it's not human readable.
>
>
> Is it base64 encoded in AD, or only in 389?
> Have you base64 decoded one of the values to see what it is?
> Is it base64 encoded as seen by ldapsearch, or is it actually
> base64 encoded in the db? Note that in LDAP (but not necessarily
> in AD, which violates several LDAP standards), if there is
> trailing whitespace in an attribute value, ldapsearch will base64
> encode the value when it displays it, since the trailing
> whitespace is not "visible".
>
>
>
> I'm not sure how to get around that myself.
> Steven Crothers
> steven.crothers at gmail.com <mailto:steven.crothers at gmail.com>
>
>
> On Mon, Apr 14, 2014 at 9:58 AM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>
> On 04/14/2014 02:49 AM, Moisés Barba Pérez wrote:
>
> Hello,
>
> Unfortunately in our organization we have a
> replication agreement between
> 389 DS and an Active Directory.
>
> For some reason, some Active Directory admin has run a
> script which has
> change the "givenname" and "sn" attrs (now they are in
> base64) and that
> change have been replicated to the 389 DS (1).
>
> The issue is: This changes coming from replication
> aren't shown in the
> server logs with the AD agreement, I saw them in the
> access file and audit
> file but from another 389 DS (2) server with multimaster
> replication
> agreement not in the server with the AD agreement ¿Is this
> normal? We are
> using 1.2.5 version.
>
>
> I don't understand what the problem is. Can you be more
> specific?
>
>
> AD <=====> 389 DS (1) <=====> 389 DS (2)
>
> Regards,
> Moses.
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20140415/ef233731/attachment.html>
More information about the 389-users
mailing list