trying to delete an entry in AD configured winsync replication OneWay fromWindows.
The synced entry has not been deleted also in DS389.
This the error message:
DEBUG - clcache_initial_anchorcsn - anchor is now: 61b26119000100010000
[09/Dec/2021:21:04:03.381822400 +0100] - DEBUG - NSMMReplicationPlugin - changelog program - agmt="cn=AD2D389" (labdc1:636): CSN 61b26119000100010000 found, position set for replay
[09/Dec/2021:21:04:03.407178341 +0100] - DEBUG - agmt="cn=AD2D389" (labdc1:636) - clcache_get_next_change - load=1 rec=1 csn=61b26132000000010000
[09/Dec/2021:21:04:03.424657228 +0100] - DEBUG - NSMMReplicationPlugin - windows sync - windows_replay_update - agmt="cn=AD2D389" (labdc1:636) -Looking at delete operation local dn="uid=pluto.paperino,ou=Internal Users,ou=people,dc=lab,dc=com" (ours,user,not group)
[09/Dec/2021:21:04:03.441053065 +0100] - DEBUG - NSMMReplicationPlugin - windows sync - map_entry_dn_outbound - agmt="cn=AD2D389" (labdc1:636) - Looking for AD entry for DS dn="nsuniqueid=12789181-592b11ec-8a489caa-30ef94f6,uid=pluto.paperino,ou=Internal Users,ou=people,dc=lab,dc=com" guid="d86ea71b3b9e2249844770275958e84b"
[09/Dec/2021:21:04:03.457975212 +0100] - DEBUG - NSMMReplicationPlugin - windows sync - windows_search_entry_ext - Calling windows entry search request plugin
[09/Dec/2021:21:04:03.477204880 +0100] - DEBUG - NSMMReplicationPlugin - windows sync - windows_search_entry_ext - Received 2 messages, 1 entries, 0 references
[09/Dec/2021:21:04:03.492898116 +0100] - DEBUG - NSMMReplicationPlugin - windows sync - map_entry_dn_outbound - agmt="cn=AD2D389" (labdc1:636) - Return code 0 from search for AD entry dn="<GUID=d86ea71b3b9e2249844770275958e84b>" or dn="CN=Pluto Paperino,CN=D389Sync,DC=lab,DC=local"
[09/Dec/2021:21:04:03.509304473 +0100] - ERR - NSMMReplicationPlugin - windows sync - windows_replay_update - agmt="cn=AD2D389" (labdc1:636) - Failed map dn for delete operation dn="uid=pluto.paperino,ou=Internal Users,ou=people,dc=lab,dc=com" rc=-1 remote_dn = [(null)]
[09/Dec/2021:21:04:03.526216140 +0100] - DEBUG - agmt="cn=AD2D389" (labdc1:636) - clcache_adjust_anchorcsn - agmt="cn=AD2D389" (labdc1:636) - (cscb 0 - state 1) - csnPrevMax (61b26132000000010000) csnMax (61b26132000000010000) csnBuf (61b26132000000010000) csnConsumerMax (61b26132000000010000)
Any help would be appreciate...
The Winsync Agreement has been also configured with:
In the scenario when a user is moved far from scope, it has been successfully deleted.
I'm running into some migration issues trying to get my hosts off of RHEL6.
I currently have a single supplier and multiple consumers and am trying to
add a new supplier on RHEL7. I was hoping to do so initially by just
setting up a replication agreement but have run into the ordering issue
As a fallback option, I have tried dumping my existing supplier via
ns-slapd db2ldif -r, but when I import I am seeing a number of errors like:
[11/Dec/2021:12:49:03.523666969 -0800] - DEBUG - attr_get_value_cmp_fn -
Syntax [18.104.22.168.4.1.1422.214.171.124.12] for attribute [creatorsName] does
not support ordering
Initially I had syntax checking on, which was off in my 1.2 instance.
Syntax checking is now off but I am still seeing these errors. Any
suggestions as to what I should modify to be able to import my remaining
Casey Feskens <cfeskens(a)willamette.edu>
Director of Infrastructure Services
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: (503) 370-6950
Hi to all,
hope someone can help me on this.
I am struggling with my last configuration step.
I have configured D389 to sync One-Way from Active Directory.
Everything is working fine and AD users is correctly synchronized in a specific OU of D389.
Then i've configured PAM Pass Through in order to permit AD synced users in D389 to make login without exposing the User Password(Leave it empty, this will be a frontend for a web portal).
The result would be:
Web Portal login -> D389(AD synced users with no password)-> Pam PassThrough to AD that return back the login result.
The only thing that is not working is regarding nsAccount objectClass that it is not present in synced D389 users.
For example creating user with dsidm command will add nsAccount objectClass as expected and bind is successful.
During my test i've seen that if nsAccount is not present, PAM PT return an error while if present everything is working well.
So my question is:
How can i set this objectClass during Winsync(in automatic way) in order to "Activate" synced users or am i missing anything?
Many thanks for your help.
Is there a simple way to tell that a user has been authenticated by looking at the access log?
something like "authentication successful" in the access log
I have been looking at the access log file and enabled the various logging levels, and although I can personally tell that a user has been authenticated, there is no message that I can search on if I need to audit the logs to see date/time/user for a successful auth.
Is there another log I should be looking at?
I'd like to discuss several recent (since a couple of months) commits in stable branches of 389ds. I will be talking about 1.4.4 [ https://github.com/389ds/389-ds-base/tree/389-ds-base-1.4.4 | https://github.com/389ds/389-ds-base/tree/389-ds-base-1.4.4 ] since it's the one we are using in production, but i think it's the same for 1.4.3. These commits are welcome and go in the right direction, however the changes they produce are not something one expects when the server version changes in 4th digit (ex. 126.96.36.199 -> 188.8.131.52). Here they are:
1) Some database files [presumable memory-mapped files that are ok to be lost at reboot] that were previously in /var/lib/dirsrv/slapd-instance/db/ are now moved to /dev/shm/slapd-instance/. This modification seems to work fine (and should increase performance), however there is an error message at server startup when /dev/shm is empty (for example, after each OS reboot) when the server needs to create the files:
[03/Dec/2021:12:12:14.887200364 +0100] - ERR - bdb_version_write - Could not open file "/dev/shm/slapd-model/DBVERSION" for writing Netscape Portable Runtime -5950 (File not found.)
After the next 389ds restart this ERR message does not appear, but it appears after each OS reboot (since /dev/shm is cleaned up after each reboot).
2) UNIX socket of the server was moved to /run/slapd-instance.socket, a new keyword in .inf file for dscreate ("ldapi") has appeared.
Works fine, but it had an impact on our scripts that use ldapi socket path.
3) A new default plugin requirement, the plugin being written in Rust - probably its introduction is FIPS-related (Issue 3584 - Fix PBKDF2_SHA256 hashing in FIPS mode). See my comment https://github.com/389ds/389-ds-base/issues/5008#issuecomment-983759224. Rust becomes a requirement for building the server, which is fine, but then it should be enabled by default in "./configure". Without it the server does not compile the new plugin and complains about it when starting:
[01/Dec/2021:12:54:04.460194603 +0100] - ERR - symload_report_error - Could not open library "/Local/dirsrv/lib/dirsrv/plugins/libpwdchan-plugin.so" for plugin PBKDF2
Thank you and keep up the good work, we use 389ds in production since 2007 and we are quite happy with it :)
I have a main ldap database on an alma el8 server, this works okay and
we can replicate from 8 to 8 via the cockpit web manager.
We however, have a server that is on el7, we can install 389ds however
the commands and setup is different and it uses the 389 ds console, our
end goal is to replicate the stuff from the EL8 database to the el7
using master / slave.
is there any way to get the el8 version onto el7, and if not, how do i
go about replicating everything? I have set up so that tls is enabled
and can ping, telnet etc to the el7 server from the el8 however when i
try to replicate after entering in the details, i get errors such as:
authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server),
system error -5987 (Invalid function argument.), network error 0
(Unknown error, host "linux-el8:636") (same when trying to replicate
over non tls, port 389)
I am using rsearch cmd with different number of threads and run time to asses DS performance over time , I run the cmd locally I would like to know how to cfg this cmd to use port 636 ? I tried cfg with cfg -p 636 but will not run.
Also I will like to learn if there are also 389-ds cmds available to run to measure server performance with the option to adjust the number of threads run parallel.
Here is my basic rsearch cmd :
. rsearch -h localhost -p 389 -D "cn=directory manager" -w xxx -s " ou=Users,ou=ds,dc=xxxx " -f "uid=49999" -v -T 10 -t 50
I have a Windows replication agreement between 389D and AD. However, I can
not figure out what attributes are set to replicate between the two. I've
looked within dse.ldif under the nsDSWindowsReplicationAgreement but
there's no list of attributes. Can anyone help me track down the list of
-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020