Am Mittwoch, 23. November 2005 16:57 schrieb David Boreham:
Hi, can you post the entire log segment where this shows up please ?
OK, attached is the Error Log (error-loglevel set to Replication debugging)
Wrong password would just mean that the connection would fail. It
wouldn't have any
persistent effect.
Hmm, I also did a ldapsearch and got the "Invalid
Credential" (log at the end)
So this means it uses the wrong password. Because I tried a different one than
the actual. But when starting the ldapsearch, does it login to the ApacheDS
without using PDC data? Or is there a connection? And what should come
out.... - the whole PDC tree I think, but I'm not sure.
NTDS side (PDC machine). NTDS uses ApacheDS. ApacheDS stores
its password in its database. However originally it always initialized that
password to a known value. We were concerned about the security
implications of that and made a change to the ApacheDS code such that
the password is read from the config file rather than use the default value
(which would be the same for all installations). In order to force users
to set the password, I believe we refuse to function until it is set in the
config file. At least that's how I remember it. I'd need to look at the
code to be sure.
But it uses which user?
uid=admin,ou=system
as default ApacheDS root entry?
And what happens, when this User doesn't exist? And the password is set to a
value I can not remember? I think the only chance to solve this problem is to
reinstall (deinstall deletes the DS - right?) the whole winsync and have -
now - the user admin and use its password.
Anyway, the ldapmodify operation will be to the userpassword attribute
on the ApacheDS root entry. I'll look that up and post the command...
Your problem may be that you haven't set the password in the first place.
It should be possible to use ldapsearch to check that your ntds is up
and running and answering LDAP searches correctly. Once that's proven,
FDS should be able to sync with it ok using the same bind credentials
and password.
ldapsearch works, but (as you can see below) my bind password is wrong (or I
can't remember.... :) )
-------------- Begin of LOG ------------------------
[root@fedorads001 slapd-fedorads001]# ldapsearch -v -D "uid=admin,ou=system"
-x -w mysecret -h 192.168.1.218 -t "*"
ldap_initialize( ldap://192.168.1.218 )
ldap_bind: Invalid credentials (49)
additional info: Bind failure:
org.apache.ldap.common.exception.LdapAuthenticationException
at
org.apache.ldap.server.authn.AuthenticationService.process(AuthenticationService.java:297)
at
org.apache.ldap.server.interceptor.InterceptorChain$3.process(InterceptorChain.java:578)
at
org.apache.ldap.server.interceptor.BaseInterceptor.process(BaseInterceptor.java:185)
at
org.apache.ldap.server.normalization.NormalizationService.process(NormalizationService.java:162)
at
org.apache.ldap.server.interceptor.BaseInterceptor.process(BaseInterceptor.java:101)
at
org.apache.ldap.server.interceptor.InterceptorChain.process(InterceptorChain.java:478)
at
org.apache.ldap.server.jndi.JndiProvider.invoke(JndiProvider.java:171)
at
org.apache.ldap.server.jndi.JndiProvider$PartitionNexusImpl.hasEntry(JndiProvider.java:247)
at
org.apache.ldap.server.jndi.ServerContext.<init>(ServerContext.java:118)
at
org.apache.ldap.server.jndi.ServerDirContext.<init>(ServerDirContext.java:61)
at
org.apache.ldap.server.jndi.ServerLdapContext.<init>(ServerLdapContext.java:56)
at
org.apache.ldap.server.jndi.JndiProvider.getLdapContext(JndiProvider.java:122)
at
org.apache.ldap.server.jndi.CoreContextFactory.getInitialContext(CoreContextFactory.java:245)
at
org.apache.ldap.server.jndi.ServerContextFactory.getInitialContext(ServerContextFactory.java:154)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at
org.apache.ldap.server.protocol.BindHandler.messageReceived(BindHandler.java:134)
at
org.apache.mina.protocol.handler.DemuxingProtocolHandler.messageReceived(DemuxingProtocolHandler.java:69)
at
org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149)
at
org.apache.mina.protocol.AbstractProtocolFilterChain.callNextMessageReceived(AbstractProtocolFilterChain.java:363)
at org.apache.mina.protocol.AbstractProtocolFilterChain.access$1100
(AbstractProtocolFilterChain.java:50)
at
org.apache.mina.protocol.AbstractProtocolFilterChain$Entry$1.messageReceived(AbstractProtocolFilterChain.java:524)
at
org.apache.mina.protocol.AbstractProtocolFilterChain$1.messageReceived(AbstractProtocolFilterChain.java:99)
at
org.apache.mina.protocol.AbstractProtocolFilterChain.callNextMessageReceived(AbstractProtocolFilterChain.java:363)
at
org.apache.mina.protocol.AbstractProtocolFilterChain.messageReceived(AbstractProtocolFilterChain.java:354)
at
org.apache.mina.protocol.ProtocolSessionManagerFilterChain$1.messageReceived(ProtocolSessionManagerFilterChain.java:77)
at
org.apache.mina.protocol.AbstractProtocolFilterChain.callNextMessageReceived(AbstractProtocolFilterChain.java:363)
at org.apache.mina.protocol.AbstractProtocolFilterChain.access$1100
(AbstractProtocolFilterChain.java:50)
at
org.apache.mina.protocol.AbstractProtocolFilterChain$Entry$1.messageReceived(AbstractProtocolFilterChain.java:524)
at
org.apache.mina.protocol.filter.ProtocolThreadPoolFilter.processEvent(ProtocolThreadPoolFilter.java:96)
at
org.apache.mina.util.BaseThreadPool$Worker.processEvents(BaseThreadPool.java:340)
at
org.apache.mina.util.BaseThreadPool$Worker.run(BaseThreadPool.java:279)
BindRequest =
org.apache.ldap.common.message.BindRequestImpl@da9067
-------------- End of LOG ------------------------
Btw... It would be nice to find a schema (written or drawn) which tells me (or
everyone) how winsync and passwordsync works. The Pictures in the manuals
tell me the way which way the servers exchange informations, but within the
PDC (or AD) I don't know anything - it is a black box.
And .... I didn't find the sources to check by myself - is it closed source?
See U
Hartmut
--
===========================================
Hartmut Woehrle
EMail: hartmut.woehrle(a)mail.pcom.de