Hi Rich,
I reinstalled all my server from scratch and reimported all my data
(with cert files).
If I try to synchronize my data, I can import users from AD to 389-DS
but I can't do the opposite. My 389 server replica is always in status
"in progress" with "replica acquired successfully : incremental update
started", but it can't finish the synchronization job.
Sometimes you have to tell winsync to do a full resync a few times
before it finally works.
I could also continue to launch request to my AD server from my 389-DS
server (ldapsearch...). I successfully add a user to my AD with Apache
Directory Studio (installed on my 389-DS server) with the AD
synchronizing account. So, it's not an access problem.
Moreover I added a schema on my 389-DS for my directory that is not
present on my AD. Do you think I have to add this schema to AD or is
the synchronization done only on AD required attributes ?
No. The schema that
winsync uses is hard coded in 389 - you cannot
extend it or change it - it should work with AD, no changes to AD should
be required.
Or,
Is it a cert file problem on my AD ?
or ...?
Any idea would be appreciated
Regards-
2011/1/25 Rich Megginson <rmeggins(a)redhat.com
<mailto:rmeggins@redhat.com>>
On 01/25/2011 01:29 AM, remy d1 wrote:
> Hi Rich,
>
> I tried to raise the log level, but when I did it, I was not able
> to stop/restart my dirsrv service.
What log level did you use? What error messages did you see when
you attempted to stop/restart the service? Anything in the errors
log?
> To stop it, I must kill the process and remove the pid file. Then
> I could start it.
>
> In my error logs, there is a lot of informations :
>
>
> [root@KingKong ~]# tail /var/log/dirsrv/slapd-KingKong/errors
> [24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
> program - cl5GetOperationCount: could not get DB object for replica
> [24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
> program - _cl5GetDBFile: no DB object found for database
>
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
> [24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
> program - cl5GetOperationCount: could not get DB object for replica
> [24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog
> program - _cl5GetDBFile: no DB object found for database
>
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
> [24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog
> program - cl5GetOperationCount: could not get DB object for replica
> [24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog
> program - _cl5GetDBFile: no DB object found for database
>
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
> [24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog
> program - cl5GetOperationCount: could not get DB object for replica
> [24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog
> program - _cl5GetDBFile: no DB object found for database
>
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
> [24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog
> program - cl5GetOperationCount: could not get DB object for replica
> [24/Jan/2011:16:24:18 +0100] NSMMReplicationPlugin - changelog
> program - cl5ExportLDIF: failed to locate changelog file for
> replica at (dc=mydomain,dc=com)
>
>
> This problem is very similar to this post :
>
http://www.redhat.com/archives/fedora-directory-commits/2009-March/msg000...
> Although I have the last version of 389-DS.
Are you sure this is the correct post you wanted to refer to?
Because this is a patch commit for a fix when moving the changelog
directory - did you move the changelog directory? Because you did
not mention it in your earlier post.
>
> I think I have also some troubleshooting with my hostname because
> bind is not configured. However, I have choosen to put it my
> /etc/hosts file
> [root@KingKong ~]# nl /etc/host.conf
> 1 multi on
> 2 order hosts,bind
> hostname command reply the full "fqdn" if I choose the option
> --all-fqdn, contrary to the option "--fqdn". The reply is just my
> hostname without the domain. By the way, if I say
> #hostname
KingKong.mydomain.com <
http://KingKong.mydomain.com>
> Eveything is now good for my hostname but I can not launch my
> 389-console. I think the adress to connect is not ok... I do not
> know if this problem is linked to the previous problems...
>
> So, I do #hostname KingKong
> Then, I launch the console again. Now, if I try to initiate a
> full synchronization, I can see (and I am still stuck on it) the
> window "please wait while data is being synchronized...", but
> nothing else... Data are not synchronized and I do not see
> anything in my Windows event viewer while replica agreement seems
> to be ok and PassSync service is installed...
It is very difficult to change your hostname after you have
configured the admin server and console. I suggest starting over
from scratch, and first make sure your hostname is correct.
I also suggest using
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-singl...
to configure Windows Sync.
>
>
> Thanks for help,
>
> -Regards
>
> 2011/1/21 Rich Megginson <rmeggins(a)redhat.com
> <mailto:rmeggins@redhat.com>>
>
>> Date:
>> Fri, 21 Jan 2011 10:25:56 +0100
>> To:
>> "General discussion list for the 389 Directory server
>> project." <389-users(a)lists.fedoraproject.org>
>> <mailto:389-users@lists.fedoraproject.org>
>>
>>
>> Hi Rich,
>>
>> Thanks for this usefull link.
>>
>> I have successfully initiate replica between Windows AD and
>> my server 389-DS. Ldapsearch is working. But even if
>> everything seems to be ok, the update does not work and I do
>> not see any error in the log files... So, my AD server stay
>> empty, the accounts are not migrate...
>>
>> Here you have my access log file which is more verbose...
>> (
mydomain.com <
http://mydomain.com> for the example) :
> <snip>
>> Obviously I am connecting to the server 389-DS itself
>> whereas it can resolve the DNS name of my Windows server...
>> There is no error in the AD event viewer while I could see
>> errors on it when it was misconfigured (like DirSync
>> errors)... So, basically, the Windows server is contacted to
>> my DS-Server over 2 different networks.
>>
>> Do you think I have to open the ports described in my message ?
>>
>> -Regards.
> I don't know. There is no winsync information in the access
> log. Note that the access log records client accesses to the
> directory server, and in winsync, the directory server itself
> acts as a client to AD, so winsync will log nothing in the
> access log. The errors log could be helpful, and especially
> using the replication log level (which is also used for
> winsync logging). The Windows Event Viewer is useless for
> winsync issues.
>
>