I'm still trying to get my evaluation copy of Red Hat Directory Server 7.1SP3 to sync with Windows Active Directory. The latest hitch is an error message following an initial re-synchronization attempt. The Directory Server has a few hundred users imported from a Windows NT domain. The Active Directory server has none of those users, so the initial re-sync should add them to AD. The error occurs when Windows Sync tries to add the first user entry to the Active Directory. The message is:
Attempting to add entry cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people,o=ourorg.com
Followed by:
(ADserver:636): Received result code 21 (00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece) for add operation
I would appreciate any insight. Hoping to see if this actually works before the 30-day evaluation runs out. Thanks. -Glenn.
Glenn wrote:
I'm still trying to get my evaluation copy of Red Hat Directory Server 7.1SP3 to sync with Windows Active Directory. The latest hitch is an error message following an initial re-synchronization attempt. The Directory Server has a few hundred users imported from a Windows NT domain. The Active Directory server has none of those users, so the initial re-sync should add them to AD. The error occurs when Windows Sync tries to add the first user entry to the Active Directory. The message is:
Attempting to add entry cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people,o=ourorg.com
Followed by:
(ADserver:636): Received result code 21 (00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece) for add operation
Error 21 is #define LDAP_INVALID_SYNTAX 0x15 /* 21 */
So AD thinks one of the attributes sent over has an invalid value that doesn't correspond to the syntax it is expecting, or something like that. It might be helpful if you post the LDIF of the entry it has problems with, being careful to obscure any private data.
I would appreciate any insight. Hoping to see if this actually works before the 30-day evaluation runs out. Thanks. -Glenn.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Posting the log entries near the error, including what appears to be the ldif. Thanks. -G.
[28/Nov/2006:10:37:08 -0600] - Windows sync entry: Created new remote entry: dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: jdoe@ad.example.com samaccountname: jdoe mail: jdoe@example.com userparameters: description: Reference Librarian sn: Doe telephoneNumber: 817-555-1234 codepage:: AAAAAA== cn: John Doe userworkstations: title: Electronic Reference Librarian homeDirectory: profilepath: givenName: John facsimileTelephoneNumber: 817-555-2345 scriptpath: nt_script.bat
[28/Nov/2006:10:37:08 -0600] - Attempting to add entry cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people, o=ourorg.org [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (boccherini:636): Received result code 21 (00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece) for add operation [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (boccherini:636): windows_replay_update: Cannot replay add operation.
---------- Original Message ----------- From: Richard Megginson rmeggins@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Tue, 28 Nov 2006 10:09:32 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Error
Glenn wrote:
I'm still trying to get my evaluation copy of Red Hat Directory Server 7.1SP3 to sync with Windows Active Directory. The latest hitch is an
error
message following an initial re-synchronization attempt. The Directory Server has a few hundred users imported from a Windows NT domain. The Active Directory server has none of those users, so the initial re-sync should add them to AD. The error occurs when Windows Sync tries to add
the
first user entry to the Active Directory. The message is:
Attempting to add entry cn=John Doe,ou=Domain
Users,dc=ad,dc=example,dc=com
to AD for local entry uid=jdoe,ou=people,o=ourorg.com
Followed by:
(ADserver:636): Received result code 21 (00000057: LdapErr: DSID-
0C090B38,
comment: Error in attribute conversion operation, data 0, vece) for add operation
Error 21 is #define LDAP_INVALID_SYNTAX 0x15 /* 21 */
So AD thinks one of the attributes sent over has an invalid value that doesn't correspond to the syntax it is expecting, or something like that. It might be helpful if you post the LDIF of the entry it has problems with, being careful to obscure any private data.
I would appreciate any insight. Hoping to see if this actually works
before
the 30-day evaluation runs out. Thanks. -Glenn.
Glenn wrote:
Posting the log entries near the error, including what appears to be the ldif. Thanks. -G.
[28/Nov/2006:10:37:08 -0600] - Windows sync entry: Created new remote entry: dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: jdoe@ad.example.com samaccountname: jdoe mail: jdoe@example.com userparameters: description: Reference Librarian sn: Doe telephoneNumber: 817-555-1234 codepage:: AAAAAA== cn: John Doe userworkstations: title: Electronic Reference Librarian homeDirectory: profilepath: givenName: John facsimileTelephoneNumber: 817-555-2345 scriptpath: nt_script.bat
[28/Nov/2006:10:37:08 -0600] - Attempting to add entry cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people, o=ourorg.org [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (boccherini:636): Received result code 21 (00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece) for add operation [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (boccherini:636): windows_replay_update: Cannot replay add operation.
It's hard to tell without knowing which attribute is complaining about. But I would guess that, since this data has been migrated from NT4, some of the attributes have changed syntax, and MS AD does not like the old values, or perhaps doesn't like the empty values.
---------- Original Message ----------- From: Richard Megginson rmeggins@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Tue, 28 Nov 2006 10:09:32 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Error
Glenn wrote:
I'm still trying to get my evaluation copy of Red Hat Directory Server 7.1SP3 to sync with Windows Active Directory. The latest hitch is an
error
message following an initial re-synchronization attempt. The Directory Server has a few hundred users imported from a Windows NT domain. The Active Directory server has none of those users, so the initial re-sync should add them to AD. The error occurs when Windows Sync tries to add
the
first user entry to the Active Directory. The message is:
Attempting to add entry cn=John Doe,ou=Domain
Users,dc=ad,dc=example,dc=com
to AD for local entry uid=jdoe,ou=people,o=ourorg.com
Followed by:
(ADserver:636): Received result code 21 (00000057: LdapErr: DSID-
0C090B38,
comment: Error in attribute conversion operation, data 0, vece) for add operation
Error 21 is #define LDAP_INVALID_SYNTAX 0x15 /* 21 */
So AD thinks one of the attributes sent over has an invalid value that doesn't correspond to the syntax it is expecting, or something like that. It might be helpful if you post the LDIF of the entry it has problems with, being careful to obscure any private data.
I would appreciate any insight. Hoping to see if this actually works
before
the 30-day evaluation runs out. Thanks. -Glenn.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
I wasn't thinking when I said the directory server data was imported from NT. It actually came from a Netscape Directory server. Just as a test, I exported a few users to an ldif file and tried to use the ldifde on the W2003 domain controller to import them. It seems to find a syntax error on every line in the file, making it impossible to narrow it down.
I can't possibly be the only person who has run into this problem. Hoping someone can shed some light. Thanks. -Glenn.
---------- Original Message ----------- From: Richard Megginson rmeggins@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Tue, 28 Nov 2006 10:46:52 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Error
Glenn wrote:
Posting the log entries near the error, including what appears to be the ldif. Thanks. -G.
[28/Nov/2006:10:37:08 -0600] - Windows sync entry: Created new remote
entry:
dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: jdoe@ad.example.com samaccountname: jdoe mail: jdoe@example.com userparameters: description: Reference Librarian sn: Doe telephoneNumber: 817-555-1234 codepage:: AAAAAA== cn: John Doe userworkstations: title: Electronic Reference Librarian homeDirectory: profilepath: givenName: John facsimileTelephoneNumber: 817-555-2345 scriptpath: nt_script.bat
[28/Nov/2006:10:37:08 -0600] - Attempting to add entry cn=John
Doe,ou=Domain
Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people, o=ourorg.org [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (boccherini:636): Received result code 21 (00000057: LdapErr: DSID-
0C090B38,
comment: Error in attribute conversion operation, data 0, vece) for add operation [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (boccherini:636): windows_replay_update: Cannot replay add operation.
It's hard to tell without knowing which attribute is complaining about. But I would guess that, since this data has been migrated from NT4, some of the attributes have changed syntax, and MS AD does not like the old values, or perhaps doesn't like the empty values.
---------- Original Message ----------- From: Richard Megginson rmeggins@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Tue, 28 Nov 2006 10:09:32 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Error
Glenn wrote:
I'm still trying to get my evaluation copy of Red Hat Directory Server 7.1SP3 to sync with Windows Active Directory. The latest hitch is an
error
message following an initial re-synchronization attempt. The Directory Server has a few hundred users imported from a Windows NT domain. The Active Directory server has none of those users, so the initial re-sync should add them to AD. The error occurs when Windows Sync tries to add
the
first user entry to the Active Directory. The message is:
Attempting to add entry cn=John Doe,ou=Domain
Users,dc=ad,dc=example,dc=com
to AD for local entry uid=jdoe,ou=people,o=ourorg.com
Followed by:
(ADserver:636): Received result code 21 (00000057: LdapErr: DSID-
0C090B38,
comment: Error in attribute conversion operation, data 0, vece) for add operation
Error 21 is #define LDAP_INVALID_SYNTAX 0x15 /* 21 */
So AD thinks one of the attributes sent over has an invalid value that doesn't correspond to the syntax it is expecting, or something like that. It might be helpful if you post the LDIF of the entry it has problems with, being careful to obscure any private data.
I would appreciate any insight. Hoping to see if this actually works
before
the 30-day evaluation runs out. Thanks. -Glenn.
Glenn wrote:
I wasn't thinking when I said the directory server data was imported from NT. It actually came from a Netscape Directory server. Just as a test, I exported a few users to an ldif file and tried to use the ldifde on the W2003 domain controller to import them. It seems to find a syntax error on every line in the file, making it impossible to narrow it down.
Do you have any trailing white space in those values?
I can't possibly be the only person who has run into this problem. Hoping someone can shed some light. Thanks. -Glenn.
---------- Original Message ----------- From: Richard Megginson rmeggins@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Tue, 28 Nov 2006 10:46:52 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Error
Glenn wrote:
Posting the log entries near the error, including what appears to be the ldif. Thanks. -G.
[28/Nov/2006:10:37:08 -0600] - Windows sync entry: Created new remote
entry:
dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: jdoe@ad.example.com samaccountname: jdoe mail: jdoe@example.com userparameters: description: Reference Librarian sn: Doe telephoneNumber: 817-555-1234 codepage:: AAAAAA== cn: John Doe userworkstations: title: Electronic Reference Librarian homeDirectory: profilepath: givenName: John facsimileTelephoneNumber: 817-555-2345 scriptpath: nt_script.bat
[28/Nov/2006:10:37:08 -0600] - Attempting to add entry cn=John
Doe,ou=Domain
Users,dc=ad,dc=example,dc=com to AD for local entry uid=jdoe,ou=people, o=ourorg.org [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (boccherini:636): Received result code 21 (00000057: LdapErr: DSID-
0C090B38,
comment: Error in attribute conversion operation, data 0, vece) for add operation [28/Nov/2006:10:37:08 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (boccherini:636): windows_replay_update: Cannot replay add operation.
It's hard to tell without knowing which attribute is complaining about. But I would guess that, since this data has been migrated from NT4, some of the attributes have changed syntax, and MS AD does not like the old values, or perhaps doesn't like the empty values.
---------- Original Message ----------- From: Richard Megginson rmeggins@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Tue, 28 Nov 2006 10:09:32 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Error
Glenn wrote:
I'm still trying to get my evaluation copy of Red Hat Directory Server 7.1SP3 to sync with Windows Active Directory. The latest hitch is an
error
message following an initial re-synchronization attempt. The Directory Server has a few hundred users imported from a Windows NT domain. The Active Directory server has none of those users, so the initial re-sync should add them to AD. The error occurs when Windows Sync tries to add
the
first user entry to the Active Directory. The message is:
Attempting to add entry cn=John Doe,ou=Domain
Users,dc=ad,dc=example,dc=com
to AD for local entry uid=jdoe,ou=people,o=ourorg.com
Followed by:
(ADserver:636): Received result code 21 (00000057: LdapErr: DSID-
0C090B38,
comment: Error in attribute conversion operation, data 0, vece) for add operation
Error 21 is #define LDAP_INVALID_SYNTAX 0x15 /* 21 */
So AD thinks one of the attributes sent over has an invalid value that doesn't correspond to the syntax it is expecting, or something like that. It might be helpful if you post the LDIF of the entry it has problems with, being careful to obscure any private data.
I would appreciate any insight. Hoping to see if this actually works
before
the 30-day evaluation runs out. Thanks. -Glenn.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Glenn wrote:
I wasn't thinking when I said the directory server data was imported from NT. It actually came from a Netscape Directory server. Just as a test, I exported a few users to an ldif file and tried to use the ldifde on the W2003 domain controller to import them. It seems to find a syntax error on every line in the file, making it impossible to narrow it down.
I can't possibly be the only person who has run into this problem. Hoping someone can shed some light. Thanks. -Glenn.
We ran into this problem while developing the code. Unfortunately AD is brain-damaged with it comes to diagnosing why it objected to a particular operation. There seems to be no way to get it to log some decent diagnostic information, and it does not provide an adequate error message over the wire.
In debugging these problems I first added the code that you have seen that dumps out the complete entry to the log. Then I pasted the entry into an ldapmodify command to reproduce the problem outside the server. Finally I edited the LDIF to trim off likely looking attributes until AD quit complaining. At that point I knew which one it was barfing over.
I would begin by removing all the NT domain related attributes from a test entry and see if it adds ok. Then add them back one by one to see which is causing the problem.
David, Richard - Thanks for the pointers. I took the ldif created by Windows Sync for one user and stripped it completely, then added lines from the original until it would import into Active Directory. I was not able to make ldapmodify connect to the AD server, so I continued to use ldifde on the AD server itself. I made a few import rules from this experience:
- LDAP attributes cannot be blank. In the example below, I had to remove the entries for userparameters, userworkstations, homeDirectory and profilepath for the file to import.
- I had to remove the codepage entry. I don't know whether AD objects to the attribute, the data, and/or the extra colon.
- My directory includes the domain name and a colon in samaccountname. I don't know whether to blame this on the ldif export from Netscape Directory or the import to DS 7.1, but AD does not allow colons in this data. Also, the domain name should not be included, because this attribute is mapped to "pre-W2000 logon name" in Active Directory, which does not include the domain name.
- The userprincipalname attribute has the same problem.
The Windows Sync documentation indicates that Windows Sync will populate an Active Directory, but I find this difficult to believe given the limitations noted above. I admit that I haven't tried working with the schema. I'm thinking it might be faster to export an ldif from the Directory Server, clean it up with a word processor, and import it into AD using the Microsoft ldifde tool.
But will synchronization work any better than initialization, given the differences that will exist between data in the two directories? Should I remove all the entries from the Directory Server after cleaning up the ldif, and import that into the Directory Server as well as the AD? -Glenn.
Example:
dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: TWU:jdoe@ad.example.com samaccountname: TWU:jdoe mail: jdoe@example.com userparameters: description: Reference Librarian sn: Doe telephoneNumber: 817-555-1234 codepage:: AAAAAA== cn: John Doe userworkstations: title: Electronic Reference Librarian homeDirectory: profilepath: givenName: John facsimileTelephoneNumber: 817-555-2345 scriptpath: nt_script.bat
---------- Original Message ----------- From: David Boreham david_list@boreham.org To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Tue, 28 Nov 2006 17:57:56 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Error
Glenn wrote:
I wasn't thinking when I said the directory server data was imported from NT. It actually came from a Netscape Directory server. Just as a test,
I
exported a few users to an ldif file and tried to use the ldifde on the
W2003
domain controller to import them. It seems to find a syntax error on
every
line in the file, making it impossible to narrow it down.
I can't possibly be the only person who has run into this problem.
Hoping
someone can shed some light. Thanks. -Glenn.
We ran into this problem while developing the code. Unfortunately AD is brain-damaged with it comes to diagnosing why it objected to a particular operation. There seems to be no way to get it to log some decent diagnostic information, and it does not provide an adequate error message over the wire.
In debugging these problems I first added the code that you have seen that dumps out the complete entry to the log. Then I pasted the entry into an ldapmodify command to reproduce the problem outside the server. Finally I edited the LDIF to trim off likely looking attributes until AD quit complaining. At that point I knew which one it was barfing over.
I would begin by removing all the NT domain related attributes from a test entry and see if it adds ok. Then add them back one by one to see which is causing the problem.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
------- End of Original Message -------
Glenn wrote:
The Windows Sync documentation indicates that Windows Sync will populate an Active Directory, but I find this difficult to believe given the limitations noted above.
Erum, it will provided you don't feed it bad data.
I admit that I haven't tried working with the schema. I'm thinking it might be faster to export an ldif from the Directory Server, clean it up with a word processor, and import it into AD using the Microsoft ldifde tool.
But will synchronization work any better than initialization, given the differences that will exist between data in the two directories? Should I remove all the entries from the Directory Server after cleaning up the ldif, and import that into the Directory Server as well as the AD? -Glenn.
It depends on what your overall goal is. If you want sync (which implies a long term relationship between AD and FDS) then you should use sync. If all you're looking for is a way to import users into AD then please do not use Windows Sync for that.
Overall the problem you are seeing I suspect is that the FDS Windows Sync feature was _not_ designed to cope with old Netscape DS data (from the Netscape Windows Sync feature). While the two share similar names for attributes and capabilities, they are entirely different and maintaining data compatibility was not a goal for the FDS feature. The old Netscape sync feature was designed to work with NT4 and it turns out that MS made changes to user schema in AD that are not compatible.
It would probably be possible to write a sctipt that would convert data from a Netscape DS, sync'ed from NT into a form that would be compatible with FDS and AD.
389-users@lists.fedoraproject.org
-
David Boreham -
Glenn -
Rich Megginson