[Fedora-directory-users] PassSync and PAM Question
by Sean Everson
All,
I have successfully set up FDS1.04 on Centos4.4, with passSync-20060330.msi
on Windows 2003 Server by following the directions in the docs + howtos.
All traffic is running successfully over SSL in both directions. I am able
to change my password on windows and login on Linux successfully. I am able
to change my password on Linux via ldappasswd or via the Directory Console
successfully. However, when I try to change my password via the standard
passwd command on a linux client the update causes an endless loop of
replication attempts. It would appear that the passwd command is using
crypt to store the password in the directory.
My questions are:
1) Is my understanding correct, that in order for passSync to work the
password encryption policy on the subtree used in the sync agreement has to
be set to "No encryption - CLEAR" Are there any other settings that would
work?
2) I have experimented with "pam_password exo" and "pam_password clear" in
/etc/ldap.conf, but crypt seems to be used regardless of the settings in
this file for hashing the password locally before sending it to the
directory server. This causes an endless replication loop.
Does anyone have an example of an ldap.conf file that works with passSync
and allows the standard passwd command to work for password changes?
Thanks!
--Sean
Sean Everson
IT Manager
Netronome Systems, Inc.
sean.everson(a)netronome.com
16 years, 10 months
[Fedora-directory-users] Replication over SSL with simple authentication
by Reinhard Nappert
Hi,
I SSL-enabled two Directory Servers and I can access them over LDAPS
using ldapsearch and other clients. I enabled both servers with the
steps from the setupssl script. However, when I to set replication up, I
get:
[15/Jun/2007:13:32:56 -0400] conn=6057 op=-1 fd=69 closed - SSL peer
cannot verify your certificate.
I did import the CA cert (self-signed) to the other server, both ways,
since I want to have multi-mastering.
By the way, I checked the serial numbers of the certs and they are not
identical.
Does anyone have an idea why the replication fails.
Thanks,
-Reinhard
16 years, 10 months
[Fedora-directory-users] Constraint Violation at Logon
by Aaron Cline
Hello:
I've emailed this to the list before but I didn't get an answer so I'm
bringing this up again with a little bit more information. This problem
seems to happen sporadically. I'm using Fedora DS 1.0.3 on the server. My
client system in this case is a RHEL 3 WS box. When the user tries to
login, the system will not accept his password. This doesn't happen all the
time though and I haven't yet figured out how to "make" it happen. Here are
the log messages on the client:
Jun 20 17:12:57 low-tcw-104 sshd[14328]: pam_ldap: error trying to bind as
user "uid=fallonma,ou=ISG,ou=Lowell,ou=People,dc=pii-dmz,dc=ext" (Constraint
violation)
I found some messages on the server side in the "errors" file that coincide
with this user but the login attempt happens about 12 minutes after the
error messages. The error messages on the server are:
[20/Jun/2007:17:00:07 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ
TechOps" (low-mgt-100:389): windows_replay_update: failed to fetch local
entry for modify operation
dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext"
[20/Jun/2007:17:00:07 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ IVRS"
(low-mgt-100:389): windows_replay_update: failed to fetch local entry for
modify operation
dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext"
[20/Jun/2007:17:00:13 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ IVRS"
(low-mgt-100:389): windows_replay_update: failed to fetch local entry for
modify operation
dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext"
[20/Jun/2007:17:00:13 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ
TechOps" (low-mgt-100:389): windows_replay_update: failed to fetch local
entry for modify operation
dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext"
[20/Jun/2007:17:00:22 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ IVRS"
(low-mgt-100:389): windows_replay_update: failed to fetch local entry for
modify operation
dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext"
[20/Jun/2007:17:00:22 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ
TechOps" (low-mgt-100:389): windows_replay_update: failed to fetch local
entry for modify operation
dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext"
Is access to this user's information somehow locked at this point? Is the
replication doing something to the account?
Thanks for any info.
Aaron
16 years, 10 months
[Fedora-directory-users] problems w/ admin server, local.conf
by MJD Shop Account
I've set up a few FDS 1.0.4 servers now and have problems every time getting certain things right with the admin server. I run into problems using either the console or just ldif file (which I prefer, for scripting). Here's the typical problem: when I try to set nsAdminAccessHosts, I use an ldif file. I can see the new value is set in the operational attributes, but it doesn't always make it into /opt/fedora-ds/admin-server/config/local.conf. The admin server logs indicate it is using the old values.
I looked at file permissions, on one server I had owner:group as ldap:root, another has root:root, a third had ldap:ldap. That one was not getting updated, I changed it to root:root and restarted things and that seemed to update local.conf.
Now I'm building a new server and it's not updating. I get this error in the admin server error log:
[warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache.
This was similar to the server I fixed, but I already have root:root permissions on that file.
I went and looked at the server that originally had root:root, and while it has been functioning OK, it too doesn't have the correctly updated values for nsAdminAccessHosts in local.conf and shows the same error in its logs from awhile back (March). So, I tried, for a test, setting the owner:group to ldap:root. When I did this and restarted admin server, I got this error:
[error] server reached MaxClients setting, consider raising the MaxClients setting
This on a server that should not have anyone connected to the admin server...
So I set it back to root:root and had neither error on restarting (but the attribute value is still wrong). On all servers, there is an httpd process under ldap user id and two under root user id (one of the two of the two root processes is the parent to the other root and to the ldap process).
Sometime ago I tried to find out what triggers the re-writing of local.conf, as Richard said it was best to use the console for updating these values, where some magic makes it do that. Richard suggested looking in the logs to see what was happening, but I found no clues there. If anyone has one...
Maybe the permissions need to match the method; would it be different running a root script at the command prompt vs. using the java console from a windows machine and connecting as the cn=dirmgr user?
Thanks,
MJD
16 years, 10 months
[Fedora-directory-users] Installing using yum, admin server & automatic uid
by Andreas Kekkou
Hi,
We are in the process of migrating our NIS to FDS. We've been
experimenting with FDS 1.0.4 for some time now and we managed to sync it
with AD and have our *nix clients authenticating using TLS. Last week I
installed FDS on Fedora 7 using yum. We have the base server functioning
but it seems too hard to maintain it without the admin server. Does
anybody knows if I can get the admin server using cvs? And something
else, how we take advantage of automatic uid? I'm creating accounts
using Softerra's LDAP Administrator. I've created a custom template and
set uid to optional but when I'm trying to create an account I getting
an error message.
Andreas
16 years, 10 months
[Fedora-directory-users] admin server ssl setup
by MJD Shop Account
I'm trying to set up the admin console to be accessible w/ SSL (https). I have the right certificates set up and the main FDS is SSL enabled. I'm running FDS 1.0.4. I usually get a problem when I open up the admin console, click on the Configuration tab, click on the Encryption tab in that window, then try to check the enable ssl box. It gives me some error and doesn't save it.
I had an idea which I tried and I think it worked (or it was just coincidence). Instead of clicking on the Configuration tab, I clicked the 'Configure Admin Server' task in the Task tab. This opened a separate configuration window which otherwise looks the same as before. But, this time I was successful in saving the change.
I still had a problem with the NSSNickname being set to 'blank' in the console.conf file (under /opt/fedora-ds/admin-serv/config); I edited that manually. This seems to happen if you try and fail to save the SSL changes, after that the certificate list always comes up empty. And I also manually edit nss.conf to point to a file for the certificate-store PIN for automatic startup.
So, should the two methods of opening the configuration window have different effects?
Thanks,
MJD
16 years, 10 months
RE: [Fedora-directory-users] Winsync and "New Windows User Sync" and "New Windows Group Sync"
by Ivan Ferreira
I found the problem.
I was delegating the administration of the replicated OU in Windows 20003.
This is not enough to enable "DirSync". The Windows replication Account
must have "Replicating Directory Changes" permissions.
Directory Server documentation
========================
During normal operation, all the updates made to entries in the Directory
Server that need to be sent to the Windows Server are generated via the
changelog. However, when the server is initially configured or after major
changes to its content, it is necessary to initiate a re-synchronization
process. For re-synchronization, the entire contents of synchronized
subtree in the Directory Server is examined and, if necessary, sent to the
Windows Server. This is done without using the changelog. Inbound changes,
that is changes to entries in the Windows Server, are found by using Active
Directory's `Dirsync' search feature. Because there is no changelog to use,
it is necessary to issue the Dirsync search periodically. The default
interval is five minutes.
Microsoft documentation
==================
Although the DirSync control is powerful and efficient, it has two
limitations. The first limitation is that the control must run by using a
user account that has the Replicating Directory Changes permission on the
domain naming context. By default, the Administrator user account has this
permission. However, we do not recommend that you use the Administrator
account to run your DirSync control program. Instead, we recommend that the
Replicating Directory Changes permission be granted to a typical user
account or group. Therefore, you can configure permissions that are
specific and limited to the DirSync control program.
http://support.microsoft.com/?scid=kb%3Ben-us%3B891995&x=16&y=16
========================================================================================
AVISO LEGAL: Esta información es privada y confidencial y está dirigida
únicamente a su destinatario. Si usted no es el destinatario original de
este mensaje y por este medio pudo acceder a dicha información por favor
elimine el mensaje. La distribución o copia de este mensaje está
estrictamente prohibida. Esta comunicación es sólo para propósitos de
información y no debe ser considerada como propuesta, aceptación ni como
una declaración de voluntad oficial de NUCLEO S.A. La transmisión de
e-mails no garantiza que el correo electrónico sea seguro o libre de error.
Por consiguiente, no manifestamos que esta información sea completa o
precisa. Toda información está sujeta a alterarse sin previo aviso.
This information is private and confidential and intended for the recipient
only. If you are not the intended recipient of this message you are hereby
notified that any review, dissemination, distribution or copying of this
message is strictly prohibited. This communication is for information
purposes only and shall not be regarded neither as a proposal, acceptance
nor as a statement of will or official statement from NUCLEO S.A. . Email
transmission cannot be guaranteed to be secure or error-free. Therefore,
we do not represent that this information is complete or accurate and it
should not be relied upon as such. All information is subject to change
without notice.
16 years, 10 months
RE: [Fedora-directory-users] Need Help - FDS 1.0.4 - Admin Console - Details Inside - Thanks
by Sphenis cidae
After some tests, I discovered that the problem occurs after I turned on ldap authentication. Maybe I've to populate the ldap before I turn on authentication. I go learn some more. The long path of a newbie...
>I have fedora directory server 1.0.4 running and I can access it from a windows workstation using softerra ldap >administrator, but when i try using the fedora admi console from the server i get the following error:>"cannot logon because of an incorrect User ID, Incorrect password or Directory problem. >java.io.InterruptedIOException: HTTP response timeout">In /opt/fedora-ds/admin-serv/logs/error i have:>child pid 2768 exit signal segmentation fault (11)>child pid 2769 exit signal segmentation fault (11)>...>child pid 3360 exit signal segmentation fault (11)>I'm asking for a big help here. I'm just a newbie trying very hard to learn.>Thanks, and I hope someday I'll be able to help you too.
_________________________________________________________________
Comunicação sem fronteiras - converse agora também com os amigos que tem no Yahoo!.
http://get.live.com/pt-pt/messenger/overview
16 years, 10 months
[Fedora-directory-users] Winsync and "New Windows User Sync" and "New Windows Group Sync"
by Ivan Ferreira
Hello all.
I sucessfully installed Fedora Directory Server 1.0.4-1.RHEL4 on RHEL4U5.
Also PassSync-20060330.msi was installed and configured in the Windows 2003
Domain Controller.
SSL connection is working.
Password synchronization works if the user exists on both Directories, but
new users and groups are not created.
I have enabled the "New Windows User Sync" and "New Windows Group Sync"
checkboxes, but nothing happens in the logs when I create a new user or
group.
Debug is enabled in DS and PassSync.
PassSync log:
06/15/07 19:11:41: There are no entries that match: juancitoperez
06/15/07 19:11:41: Deferring password change for juancitoperez
06/15/07 19:11:41: Backing off for 2048000ms
Directory Server log:
[15/Jun/2007:19:44:25 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): State: wait_for_changes -> wait_for_changes
[15/Jun/2007:19:44:25 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): State: wait_for_changes -> wait_for_changes
[15/Jun/2007:19:44:25 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): No linger to cancel on the connection
[15/Jun/2007:19:44:25 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): Disconnected from the consumer
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): windows_inc_stop: protocol stopped after 1 seconds
[15/Jun/2007:19:44:26 -0400] - acquire_replica, supplier RUV:
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier:
{replicageneration} 46707261000000030000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 3
ldap://infra1.sis.personal.net.py:389} 46714c54000000030000
46730709000100030000 00000000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 4
ldap://infra2.sis.personal.net.py:389}
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 1
ldap://infra1.sis.personal.net.py:389} 4673124f000000010000
46731f00000000010000 46731f01
[15/Jun/2007:19:44:26 -0400] - acquire_replica, consumer RUV:
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer:
{replicageneration} 46707261000000030000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 3
ldap://infra1.sis.personal.net.py:389} 46714c54000000030000
46730709000100030000 00000000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 4
ldap://infra2.sis.personal.net.py:389}
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 1
ldap://infra1.sis.personal.net.py:389} 4673124f000000010000
467316d4000000010000 00000000
[15/Jun/2007:19:44:26 -0400] - acquire_replica, supplier RUV is newer
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): Trying secure slapi_ldap_init
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): binddn = cn=SSOSync,ou=Service
accounts,ou=Usuarios,dc=personal,dc=com,dc=py, passwd =
{DES}T4FVTMFnERrR8F1Io6In7Q==
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): No linger to cancel on the connection
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - Beginning total update
of replica "agmt="cn=AD-FDS" (asusis-dc:636)".
[15/Jun/2007:19:44:26 -0400] - Sending dirsync search request
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): windows_process_total_entry: Looking
dn="uid=pgimenez,ou=SSO,dc=sis,dc=personal,dc=net,dc=py" (ours)
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): map_entry_dn_outbound: failed to fetch entry from AD:
dn="uid=pgimenez,ou=SSO,dc=sis,dc=personal,dc=net,dc=py", err=-1
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): windows_replay_update: failed map dn for total update
dn="uid=pgimenez,ou=SSO,dc=sis,dc=personal,dc=net,dc=py"
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): Beginning linger on the connection
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): windows_tot_run: failed to obtain data to send to the
consumer; LDAP error - -1
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): No linger to cancel on the connection
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): Disconnected from the consumer
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): State: start -> ready_to_acquire_replica
[15/Jun/2007:19:44:26 -0400] - acquire_replica, supplier RUV:
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier:
{replicageneration} 46707261000000030000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 3
ldap://infra1.sis.personal.net.py:389} 46714c54000000030000
46730709000100030000 00000000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 4
ldap://infra2.sis.personal.net.py:389}
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 1
ldap://infra1.sis.personal.net.py:389} 4673124f000000010000
46731f00000000010000 46731f01
[15/Jun/2007:19:44:26 -0400] - acquire_replica, consumer RUV:
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer:
{replicageneration} 46707261000000030000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 3
ldap://infra1.sis.personal.net.py:389} 46714c54000000030000
46730709000100030000 00000000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 4
ldap://infra2.sis.personal.net.py:389}
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 1
ldap://infra1.sis.personal.net.py:389} 4673124f000000010000
467316d4000000010000 00000000
[15/Jun/2007:19:44:26 -0400] - acquire_replica, supplier RUV is newer
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): Trying secure slapi_ldap_init
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): binddn = cn=SSOSync,ou=Service
accounts,ou=Usuarios,dc=personal,dc=com,dc=py, passwd =
{DES}T4FVTMFnERrR8F1Io6In7Q==
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): No linger to cancel on the connection
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin -
windows_acquire_replica returned success (101)
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): State: ready_to_acquire_replica -> sending_updates
[15/Jun/2007:19:44:26 -0400] - _cl5PositionCursorForReplay
(agmt="cn=AD-FDS" (asusis-dc:636)): Consumer RUV:
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): {replicageneration} 46707261000000030000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): {replica 3 ldap://infra1.sis.personal.net.py:389}
46714c54000000030000 46730709000100030000 00000000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): {replica 4 ldap://infra2.sis.personal.net.py:389}
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): {replica 1 ldap://infra1.sis.personal.net.py:389}
4673124f000000010000 467316d4000000010000 00000000
[15/Jun/2007:19:44:26 -0400] - _cl5PositionCursorForReplay
(agmt="cn=AD-FDS" (asusis-dc:636)): Supplier RUV:
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): {replicageneration} 46707261000000030000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): {replica 3 ldap://infra1.sis.personal.net.py:389}
46714c54000000030000 46730709000100030000 00000000
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): {replica 4 ldap://infra2.sis.personal.net.py:389}
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): {replica 1 ldap://infra1.sis.personal.net.py:389}
4673124f000000010000 46731f00000000010000 46731f01
[15/Jun/2007:19:44:26 -0400] agmt="cn=AD-FDS" (asusis-dc:636) - session
start: anchorcsn=467316d4000000010000
[15/Jun/2007:19:44:26 -0400] agmt="cn=AD-FDS" (asusis-dc:636) - Can't
locate CSN 467316d4000000010000 in the changelog (DB rc=-30990). The
consumer may need to be reinitialized.
[15/Jun/2007:19:44:26 -0400] agmt="cn=AD-FDS" (asusis-dc:636) -
clcache_load_buffer: rc=-30990
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - changelog program -
agmt="cn=AD-FDS" (asusis-dc:636): CSN 467316d4000000010000 found, position
set for replay
[15/Jun/2007:19:44:26 -0400] agmt="cn=AD-FDS" (asusis-dc:636) -
clcache_load_buffer: rc=-30990
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): No more updates to send (cl5GetNextOperationToReplay)
[15/Jun/2007:19:44:26 -0400] agmt="cn=AD-FDS" (asusis-dc:636) - session
end: state=0 load=0 sent=0 skipped=0
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): Beginning linger on the connection
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): State: sending_updates -> wait_for_changes
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): Linger timeout has expired on the connection
[15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS"
(asusis-dc:636): Disconnected from the consumer
This is when I create a new account in AD
[15/Jun/2007:19:58:55 -0400] conn=29 fd=73 slot=73 SSL connection from
10.129.4.176 to 172.20.0.1
[15/Jun/2007:19:58:55 -0400] conn=29 SSL 128-bit RC4
[15/Jun/2007:19:58:55 -0400] conn=29 op=0 BIND dn="cn=sync
manager,cn=config" method=128 version=2
[15/Jun/2007:19:58:55 -0400] conn=29 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=sync manager,cn=config"
[15/Jun/2007:19:58:55 -0400] conn=29 op=1 SRCH
base="ou=sso,dc=sis,dc=personal,dc=net,dc=py" scope=2
filter="(ntUserDomainId=pepelin)" attrs=ALL
[15/Jun/2007:19:58:55 -0400] conn=29 op=1 RESULT err=0 tag=101 nentries=0
etime=0
[15/Jun/2007:19:58:55 -0400] conn=29 op=2 UNBIND
[15/Jun/2007:19:58:55 -0400] conn=29 op=2 fd=73 closed - U1
[15/Jun/2007:19:59:00 -0400] conn=13 op=24 SRCH
base="ou=SSO,dc=sis,dc=personal,dc=net,dc=py" scope=1
filter="(objectClass=*)" attrs="objectClass"
[15/Jun/2007:19:59:00 -0400] conn=13 op=24 RESULT err=0 tag=101 nentries=1
etime=0
[15/Jun/2007:19:59:01 -0400] conn=13 op=26 SRCH
base="ou=sudoers,dc=sis,dc=personal,dc=net,dc=py" scope=0
filter="(objectClass=*)" attrs=ALL
[15/Jun/2007:19:59:01 -0400] conn=13 op=26 RESULT err=0 tag=101 nentries=1
etime=0
[15/Jun/2007:19:59:01 -0400] conn=13 op=27 SRCH
base="ou=SSO,dc=sis,dc=personal,dc=net,dc=py" scope=0
filter="(objectClass=*)" attrs=ALL
[15/Jun/2007:19:59:01 -0400] conn=13 op=27 RESULT err=0 tag=101 nentries=1
etime=0
[15/Jun/2007:19:59:01 -0400] conn=13 op=28 SRCH
base="ou=SSO,dc=sis,dc=personal,dc=net,dc=py" scope=1
filter="(objectClass=*)" attrs="objectClass"
[15/Jun/2007:19:59:01 -0400] conn=13 op=28 RESULT err=0 tag=101 nentries=1
etime=0
[15/Jun/2007:19:59:03 -0400] conn=13 op=29 SRCH
base="ou=SSO,dc=sis,dc=personal,dc=net,dc=py" scope=1
filter="(objectClass=*)" attrs="objectClass"
[15/Jun/2007:19:59:03 -0400] conn=13 op=29 RESULT err=0 tag=101 nentries=1
etime=0
[15/Jun/2007:19:59:11 -0400] conn=30 fd=73 slot=73 SSL connection from
10.129.4.176 to 172.20.0.1
[15/Jun/2007:19:59:11 -0400] conn=30 SSL 128-bit RC4
[15/Jun/2007:19:59:11 -0400] conn=30 op=0 BIND dn="cn=sync
manager,cn=config" method=128 version=2
[15/Jun/2007:19:59:11 -0400] conn=30 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=sync manager,cn=config"
[15/Jun/2007:19:59:11 -0400] conn=30 op=1 SRCH
base="ou=sso,dc=sis,dc=personal,dc=net,dc=py" scope=2
filter="(ntUserDomainId=pepelin)" attrs=ALL
[15/Jun/2007:19:59:11 -0400] conn=30 op=1 RESULT err=0 tag=101 nentries=0
etime=0
[15/Jun/2007:19:59:11 -0400] conn=30 op=2 UNBIND
[15/Jun/2007:19:59:11 -0400] conn=30 op=2 fd=73 closed - U1
And PassSync:
06/15/07 19:58:44: Password list has 1 entries
06/15/07 19:58:44: Attempting to sync password for pepelin
06/15/07 19:58:44: Searching for (ntuserdomainid=pepelin)
06/15/07 19:58:44: There are no entries that match: pepelin
06/15/07 19:58:44: Deferring password change for pepelin
06/15/07 19:58:44: Backing off for 4000ms
06/15/07 19:58:48: Backoff time expired. Attempting sync
06/15/07 19:58:48: Password list has 1 entries
06/15/07 19:58:48: Attempting to sync password for pepelin
06/15/07 19:58:48: Searching for (ntuserdomainid=pepelin)
06/15/07 19:58:48: There are no entries that match: pepelin
06/15/07 19:58:48: Deferring password change for pepelin
06/15/07 19:58:48: Backing off for 8000ms
06/15/07 19:58:56: Backoff time expired. Attempting sync
06/15/07 19:58:56: Password list has 1 entries
06/15/07 19:58:56: Attempting to sync password for pepelin
06/15/07 19:58:56: Searching for (ntuserdomainid=pepelin)
06/15/07 19:58:56: There are no entries that match: pepelin
06/15/07 19:58:56: Deferring password change for pepelin
06/15/07 19:58:56: Backing off for 16000ms
06/15/07 19:59:12: Backoff time expired. Attempting sync
06/15/07 19:59:12: Password list has 1 entries
06/15/07 19:59:12: Attempting to sync password for pepelin
06/15/07 19:59:12: Searching for (ntuserdomainid=pepelin)
06/15/07 19:59:12: There are no entries that match: pepelin
06/15/07 19:59:12: Deferring password change for pepelin
06/15/07 19:59:12: Backing off for 32000ms
06/15/07 19:59:44: Backoff time expired. Attempting sync
06/15/07 19:59:44: Password list has 1 entries
06/15/07 19:59:44: Attempting to sync password for pepelin
06/15/07 19:59:44: Searching for (ntuserdomainid=pepelin)
06/15/07 19:59:44: There are no entries that match: pepelin
06/15/07 19:59:44: Deferring password change for pepelin
06/15/07 19:59:44: Backing off for 64000ms
I don't see any attempt to create the accounts.
What could be the problem?
========================================================================================
AVISO LEGAL: Esta información es privada y confidencial y está dirigida
únicamente a su destinatario. Si usted no es el destinatario original de
este mensaje y por este medio pudo acceder a dicha información por favor
elimine el mensaje. La distribución o copia de este mensaje está
estrictamente prohibida. Esta comunicación es sólo para propósitos de
información y no debe ser considerada como propuesta, aceptación ni como
una declaración de voluntad oficial de NUCLEO S.A. La transmisión de
e-mails no garantiza que el correo electrónico sea seguro o libre de error.
Por consiguiente, no manifestamos que esta información sea completa o
precisa. Toda información está sujeta a alterarse sin previo aviso.
This information is private and confidential and intended for the recipient
only. If you are not the intended recipient of this message you are hereby
notified that any review, dissemination, distribution or copying of this
message is strictly prohibited. This communication is for information
purposes only and shall not be regarded neither as a proposal, acceptance
nor as a statement of will or official statement from NUCLEO S.A. . Email
transmission cannot be guaranteed to be secure or error-free. Therefore,
we do not represent that this information is complete or accurate and it
should not be relied upon as such. All information is subject to change
without notice.
16 years, 10 months