Mark,
Already did that twice hehehehe
Do you think that's about config once all attributes except password
are sync'ed to AD? If it's about config, the log does not suppose to
show something?
389 -> AD (all attributes except password)
AD -> 389 (everthing works, including password)
Tried almost everything over here, without success.
There's another way to trace it? replication log does not shows me
anything related to it.
Replication logging is the only option on the DS side.
Can you share your replication agreement from dse.ldif? From what I saw
from the command line you set everything correctly, but maybe it didn't
write it correctly to the entry. You have to use LDAPS for passwords to
sync to AD, and you specified that, but lets confirm what is actually in
the agreement.
Thanks,
Mark
Thanks
On Wed, Jan 29, 2020 at 12:35 PM Mark Reynolds <mreynolds(a)redhat.com
<mailto:mreynolds@redhat.com>> wrote:
Alberto,
Sorry I'm not sure what is wrong. Please review the documentation
and make sure you have everything setup correctly:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
HTH,
Mark
On 1/29/20 10:22 AM, Alberto Viana wrote:
> Hi Guys,
>
> My messages to list are being moderated (no sure why), trying again
>
> William,
>
> Right, so if you change a password on AD, does it properly change
> the password to 389?
>
> Yes.
>
> And are you using a "ldapmodify userpassword" or "ldappasswd"
to
> change the password? What's the exact command you run against 389
> to change the password?
>
> Tried 3 different ways:
> 1. ldapmodify
> 2. An application that we have here (password selfservice)
> 3. Apache directory studio
>
> The password is always updated locally in 389 but never sent to AD.
>
> And it's seems that not even trying, I'm tracking on event
> viewer. Another thing that when I used to change the password,
> the passync always intercepts the change and tries to send
> back the (same) password and it's not happening.
>
> Please let me know if you anything else.
>
>
> On Tue, Jan 28, 2020 at 9:40 PM Alberto Viana
> <albertocrj(a)gmail.com <mailto:albertocrj@gmail.com>> wrote:
>
> William,
>
> Right, so if you change a password on AD, does it properly
> change the password to 389?
>
> Yes.
>
> And are you using a "ldapmodify userpassword" or
"ldappasswd"
> to change the password? What's the exact command you run
> against 389 to change the password?
>
> Tried 3 different ways:
> 1. ldapmodify
> 2. An application that we have here (password selfservice)
> 3. Apache directory studio
>
> The password is always updated locally in 389 but never sent
> to AD.
>
> And it's seems that not even trying, I'm tracking on event
> viewer. Another thing that when I used to change the
> password, the passync always intercepts the change and tries
> to send back the (same) password and it's not happening.
>
> Please let me know if you anything else.
>
> Thanks
>
>
>
> On Tue, Jan 28, 2020 at 9:31 PM William Brown <wbrown(a)suse.de
> <mailto:wbrown@suse.de>> wrote:
>
>
>
> > On 29 Jan 2020, at 10:15, Alberto Viana
> <albertocrj(a)gmail.com <mailto:albertocrj@gmail.com>> wrote:
> >
> > William,
> >
> > Sorry, my bad, it's not working
> >
> >
> > The problem is the password is never sent to AD and
> it's just about password, any other replicated attribute
> that I modify sends the modification to AD normally.
>
>
> Right, so if you change a password on AD, does it
> properly change the password to 389?
>
> And are you using a "ldapmodify userpassword" or
> "ldappasswd" to change the password? What's the exact
> command you run against 389 to change the password?
>
> >
> > When you say "I think that perhaps we need to exclude
> objectClass=* from notes=U."
>
> No, this is something for the team and I to do, not you :)
>
> >
> > Where should I do that? Do you need further information?
> >
> >
> > Thanks
> >
> > Alberto Viana
> >
> >
> > On Tue, Jan 28, 2020 at 9:09 PM William Brown
> <wbrown(a)suse.de <mailto:wbrown@suse.de>> wrote:
> >
> >
> > > On 29 Jan 2020, at 10:01, Alberto Viana
> <albertocrj(a)gmail.com <mailto:albertocrj@gmail.com>> wrote:
> > >
> > > WIlliam,
> > >
> > > Thanks, I put in my company's roadmap to think about
> pay for support,
> >
> > Great!
> >
> > > I found the problem, it's about aci (the user manager
> replication permission)
> >
> > Can you please describe the problem and solution more?
> That way I and others can learn from what you just solved
> :) It will help many others. Thank you!
> >
> > >
> > > After add permission to read the userpassword field,
> starts to works.
> > >
> > > Again, Thanks!!!
> > >
> > >
> > >
> > > On Tue, Jan 28, 2020 at 8:58 PM William Brown
> <wbrown(a)suse.de <mailto:wbrown@suse.de>> wrote:
> > >
> > >
> > > > On 29 Jan 2020, at 09:24, Alberto Viana
> <albertocrj(a)gmail.com <mailto:albertocrj@gmail.com>> wrote:
> > > >
> > > > Hey Guys,
> > > >
> > > > Really lost here, don't know what else look or
> test, it's not working at all :/
> > >
> > > Hey there,
> > >
> > > Remember, the team is distributed around the world -
> I'm Australian for example, so sometimes mailing list
> questions can take 24 hours. Sometimes personal things go
> wrong. It's just the annoying nature, that we will
> potentially take time to respond :(
> > >
> > > If you do want an SLA, and it's super important to
> have things fixed, do consider convincing your business
> to take a SUSE (SLE) or Red Hat (RHDS) contract, as there
> are support teams that can assist, and there are going to
> be better response times rather than just us developers :)
> > >
> > > >
> > > > Any help is appreciated
> > > >
> > > > Thanks
> > > >
> > > > On Tue, Jan 28, 2020 at 3:48 PM Alberto Viana
> <albertocrj(a)gmail.com <mailto:albertocrj@gmail.com>> wrote:
> > > > Hi Guys,
> > > > 389-Directory/1.4.3.2 <
http://1.4.3.2>
> > > >
> > > >
> > > > The password sync from 389 to windows(2012) is not
> working:
> > >
> > > One of these days I really need to setup winsync at
> home to really learn more about it ...
> > >
> > > >
> > > > # dsconf RNP repl-winsync-agmt create
> --suffix=dc=rnp,dc=local --host=gti-df-dc01 --port=636
> --conn-protocol=LDAPS --bind-dn="CN=my_win_account"
> --bind-passwd=password --win-subtree=dc=my,dc=domain
> --ds-subtree=dc=my,dc=domain --win-domain=RNP
> --sync-users=on --sync-groups=on --init AD-DF-DC01
> > > >
> > > >
> > > > Double checked everything including the user
> permissions on windows AD side , also checked the windows
> log and passync log, could not found anything related (at
> least the 389 trying to update my user's password or any
> error)
> > > >
> > > > From windows to 389 works fine.
> > > >
> > > > Attaching the log (in replication debug mode)
> > >
> > > Looking at the log I can see changes happening.
> > >
> > >
> > > This error seems surprising, but shouldn't really
> cause a problem.
> > >
> > > [28/Jan/2020:15:14:05.423481115 -0300] - ERR -
> log_result - Internal unindexed search: source
> (cn=Multimaster Replication Plugin,cn=plugins,cn=config)
> search base="dc=my,dc=domain"
>
filter="(&(|(objectclass=*)(objectclass=ldapsubentry))(nsUniqueid=0c57800e-050011e8-b998ed08-97c36f4f))"
> etime=0.000798288 nentries=1 notes=U details="Partially
> Unindexed Filter
> > >
> > > I think that perhaps we need to exclude objectClass=*
> from notes=U.
> > >
> > >
> > > Anyway, you say it's "not working". I'm going
to ask
> you to describe what "not working means". Did you change
> a group on AD and the changes aren't appearing in 389? Or
> the other way? Can you be more specific about what's not
> working?
> > >
> > > Thanks,
> > >
> > > >
> > > > Don't know what else to look
> > > >
> > > > Thanks.
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > 389-users mailing list --
> 389-users(a)lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> > > > To unsubscribe send an email to
> 389-users-leave(a)lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> > > > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> > >
> > > —
> > > Sincerely,
> > >
> > > William Brown
> > >
> > > Senior Software Engineer, 389 Directory Server
> > > SUSE Labs
> > > _______________________________________________
> > > 389-users mailing list --
> 389-users(a)lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> > > To unsubscribe send an email to
> 389-users-leave(a)lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> > > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> > > _______________________________________________
> > > 389-users mailing list --
> 389-users(a)lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> > > To unsubscribe send an email to
> 389-users-leave(a)lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> > > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> >
> > —
> > Sincerely,
> >
> > William Brown
> >
> > Senior Software Engineer, 389 Directory Server
> > SUSE Labs
> > _______________________________________________
> > 389-users mailing list --
> 389-users(a)lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> > To unsubscribe send an email to
> 389-users-leave(a)lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> > _______________________________________________
> > 389-users mailing list --
> 389-users(a)lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> > To unsubscribe send an email to
> 389-users-leave(a)lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> _______________________________________________
> 389-users mailing list --
> 389-users(a)lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> To unsubscribe send an email to
> 389-users-leave(a)lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
>
>
> _______________________________________________
> 389-users mailing list --389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
<mailto:389-users-leave@lists.fedoraproject.org>
> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List
Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe...
--
389 Directory Server Development Team