Hi,
We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt to synchronize with the existing 2003 Windows AD server. Performing the full sync completed. There is no user created in the DS subtree.
We would like to perform one way Sync: AD ----> DS. Once it works, we will set up the password Sync from the AD to DS.
AD: cn=Users,cn=location,dc=ad,dc=domain,dc=com DS: ou=Peoples,dc=domain,dc=com
errors log:
[26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries.
access log:
26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1 etime=0
Thanks. Albert
On 05/26/2011 08:58 AM, Albert Teh wrote:
Hi,
We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt to synchronize with the existing 2003 Windows AD server. Performing the full sync completed. There is no user created in the DS subtree.
We would like to perform one way Sync: AD ----> DS. Once it works, we will set up the password Sync from the AD to DS.
One way sync isn't supported with 8.1.0. I suggest using 389-ds-base 1.2.8.3 from EPEL5 which does support one way sync. http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
AD: cn=Users,cn=location,dc=ad,dc=domain,dc=com DS: ou=Peoples,dc=domain,dc=com
errors log:
[26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries.
access log:
26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1 etime=0
Thanks. Albert
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi Rich,
I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync set as fromWindows in the multimaster replication plugin. I still got the same result with no user created in the DS subtree.
Errors log:
[27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". Sent 0 entries.
Access log:
[27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101 nentries=1 etime=
Thanks for your help.
Albert
On Thu, May 26, 2011 at 11:13 AM, Rich Megginson rmeggins@redhat.comwrote:
On 05/26/2011 08:58 AM, Albert Teh wrote:
Hi,
We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt to synchronize with the existing 2003 Windows AD server. Performing the full sync completed. There is no user created in the DS subtree.
We would like to perform one way Sync: AD ----> DS. Once it works, we will set up the password Sync from the AD to DS.
One way sync isn't supported with 8.1.0. I suggest using 389-ds-base 1.2.8.3 from EPEL5 which does support one way sync. http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
AD: cn=Users,cn=location,dc=ad,dc=domain,dc=com DS: ou=Peoples,dc=domain,dc=com
errors log:
[26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries.
access log:
26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1 etime=0
Thanks. Albert
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
It could have different reasons: - do a ldapsearch -D cn=Directory\ Manager -b cn=config cn=ADSync and check the output so that replicabase subtrees are correct in the both worlds Any descendant container entries (ou's) need to be created separately in Directory by an administrator; Windows Sync does not create container entries. - check with ldapsearch command that the Sync User can bind on AD - check the permissions of the sync user in AD, it should be a domain administrator, also if you want to sync only from AD to DS.
Regards Carsten
----- Ursprüngliche Nachricht ----- Von: Albert Teh teh.albert@gmail.com Datum: Freitag, 27. Mai 2011, 12:22 Betreff: Re: [389-users] Windows Sync Agreement Help An: Rich Megginson rmeggins@redhat.com Cc: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org
Hi Rich,
I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync set as fromWindows in the multimaster replication plugin. I still got the same result with no user created in the DS subtree.
Errors log:
[27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". Sent 0 entries.
Access log:
[27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh"
[27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101 nentries=1 etime=
Thanks for your help.
Albert
On Thu, May 26, 2011 at 11:13 AM, Rich Megginson rmeggins@redhat.com wrote:
On 05/26/2011 08:58 AM, Albert Teh wrote: Hi,
We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt to synchronize with the existing 2003 Windows AD server. Performing the full sync completed. There is no user created in the DS subtree. We would like to perform one way Sync: AD ----> DS. Once it works, we will set up the password Sync from the AD to DS.
One way sync isn't supported with 8.1.0. I suggest using 389-ds-base 1.2.8.3 from EPEL5 which does support one way sync. http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
AD: cn=Users,cn=location,dc=ad,dc=domain,dc=com DS: ou=Peoples,dc=domain,dc=com errors log: [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries. access log: 26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1 etime=0 Thanks. Albert
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- Albert Teh Email: Teh.Albert@Gmail.com
--
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 05/27/2011 04:22 AM, Albert Teh wrote:
Hi Rich,
I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync set as fromWindows in the multimaster replication plugin. I still got the same result with no user created in the DS subtree.
Have you read http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/A...
Errors log:
[27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". Sent 0 entries.
Access log:
[27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101 nentries=1 etime=
Thanks for your help.
Albert
On Thu, May 26, 2011 at 11:13 AM, Rich Megginson <rmeggins@redhat.com mailto:rmeggins@redhat.com> wrote:
On 05/26/2011 08:58 AM, Albert Teh wrote:
Hi, We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt to synchronize with the existing 2003 Windows AD server. Performing the full sync completed. There is no user created in the DS subtree. We would like to perform one way Sync: AD ----> DS. Once it works, we will set up the password Sync from the AD to DS.
One way sync isn't supported with 8.1.0. I suggest using 389-ds-base 1.2.8.3 from EPEL5 which does support one way sync. http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
AD: cn=Users,cn=location,dc=ad,dc=domain,dc=com DS: ou=Peoples,dc=domain,dc=com errors log: [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries. access log: 26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1 etime=0 Thanks. Albert -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users
-- Albert Teh Email: Teh.Albert@Gmail.com
Hi Rich,
I followed the Guide and still got the same result. Checked with the AD administrator, the AD's user: mailadm has a full privilege.
Thanks. Albert
Here is the Windows Sync Agreement info:
[root@algldap slapd-algldap]# /usr/lib/mozldap/ldapsearch -w - -D cn="Directory Manager" -b cn=config cn=ADSync Enter bind password: version: 1 dn: cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,c n=config objectClass: top objectClass: nsDSWindowsReplicationAgreement description: AD Sync Agreement cn: ADSync nsds7WindowsReplicaSubtree: cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=co m nsds7DirectoryReplicaSubtree: ou=People, dc=algonquincollege,dc=com nsds7NewWinUserSyncEnabled: on nsds7NewWinGroupSyncEnabled: on nsds7WindowsDomain: ottawa.ad.algonquincollege.com nsDS5ReplicaRoot: dc=algonquincollege,dc=com nsDS5ReplicaHost: wodcstage-1.ottawa.ad.algonquincollege.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc =com nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicaCredentials: {DES}U68ooQM3C15xjJ/taDmy0A== nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20110530141648Z nsds5replicaLastUpdateEnd: 20110530141648Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20110530140648Z nsds5replicaLastInitEnd: 20110530140648Z nsds5replicaLastInitStatus: 0 Total update succeeded [root@algldap slapd-algldap]#
On Fri, May 27, 2011 at 10:57 AM, Rich Megginson rmeggins@redhat.comwrote:
On 05/27/2011 04:22 AM, Albert Teh wrote:
Hi Rich,
I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync set as fromWindows in the multimaster replication plugin. I still got the same result with no user created in the DS subtree.
Have you read http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/A...
Errors log:
[27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". Sent 0 entries.
Access log:
[27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101 nentries=1 etime=
Thanks for your help.
Albert
On Thu, May 26, 2011 at 11:13 AM, Rich Megginson rmeggins@redhat.comwrote:
On 05/26/2011 08:58 AM, Albert Teh wrote:
Hi,
We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt to synchronize with the existing 2003 Windows AD server. Performing the full sync completed. There is no user created in the DS subtree.
We would like to perform one way Sync: AD ----> DS. Once it works, we will set up the password Sync from the AD to DS.
One way sync isn't supported with 8.1.0. I suggest using 389-ds-base 1.2.8.3 from EPEL5 which does support one way sync. http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
AD: cn=Users,cn=location,dc=ad,dc=domain,dc=com DS: ou=Peoples,dc=domain,dc=com
errors log:
[26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries.
access log:
26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1 etime=0
Thanks. Albert
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
-- Albert Teh Email: Teh.Albert@Gmail.com
On 05/30/2011 08:32 AM, Albert Teh wrote:
Hi Rich,
I followed the Guide and still got the same result. Checked with the AD administrator, the AD's user: mailadm has a full privilege.
/usr/bin/ldapsearch -x -w - -D cn="Directory Manager"-b "ou=People,dc=algonquincollege,dc=com" "(|(objectclass=ntuser)(objectclass=ntgroup))"
How many entries match that search?
Thanks. Albert
Here is the Windows Sync Agreement info:
[root@algldap slapd-algldap]# /usr/lib/mozldap/ldapsearch -w - -D cn="Directory Manager" -b cn=config cn=ADSync Enter bind password: version: 1 dn: cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,c n=config objectClass: top objectClass: nsDSWindowsReplicationAgreement description: AD Sync Agreement cn: ADSync nsds7WindowsReplicaSubtree: cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=co m nsds7DirectoryReplicaSubtree: ou=People, dc=algonquincollege,dc=com nsds7NewWinUserSyncEnabled: on nsds7NewWinGroupSyncEnabled: on nsds7WindowsDomain: ottawa.ad.algonquincollege.com http://ottawa.ad.algonquincollege.com nsDS5ReplicaRoot: dc=algonquincollege,dc=com nsDS5ReplicaHost: wodcstage-1.ottawa.ad.algonquincollege.com http://wodcstage-1.ottawa.ad.algonquincollege.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc =com nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicaCredentials: {DES}U68ooQM3C15xjJ/taDmy0A== nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20110530141648Z nsds5replicaLastUpdateEnd: 20110530141648Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20110530140648Z nsds5replicaLastInitEnd: 20110530140648Z nsds5replicaLastInitStatus: 0 Total update succeeded [root@algldap slapd-algldap]#
On Fri, May 27, 2011 at 10:57 AM, Rich Megginson <rmeggins@redhat.com mailto:rmeggins@redhat.com> wrote:
On 05/27/2011 04:22 AM, Albert Teh wrote:
Hi Rich, I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync set as fromWindows in the multimaster replication plugin. I still got the same result with no user created in the DS subtree.
Have you read http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
Errors log: [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". Sent 0 entries. Access log: [27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101 nentries=1 etime= Thanks for your help. Albert On Thu, May 26, 2011 at 11:13 AM, Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> wrote: On 05/26/2011 08:58 AM, Albert Teh wrote:
Hi, We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt to synchronize with the existing 2003 Windows AD server. Performing the full sync completed. There is no user created in the DS subtree. We would like to perform one way Sync: AD ----> DS. Once it works, we will set up the password Sync from the AD to DS.
One way sync isn't supported with 8.1.0. I suggest using 389-ds-base 1.2.8.3 from EPEL5 which does support one way sync. http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
AD: cn=Users,cn=location,dc=ad,dc=domain,dc=com DS: ou=Peoples,dc=domain,dc=com errors log: [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries. access log: 26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1 etime=0 Thanks. Albert -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users
-- Albert Teh Email: Teh.Albert@Gmail.com <mailto:Teh.Albert@Gmail.com>
-- Albert Teh Email: Teh.Albert@Gmail.com
HI Rich,
[root@algldap ~]# /usr/lib/mozldap/ldapsearch -x -w - -D cn="Directory Manager" -b "ou=People,dc=algonquincollege,dc=com" "(|(objectclass=ntuser)(objectclass=ntgroup))" Enter bind password: [root@algldap ~]#
No Entry found !!!.
Thanks. Albert
On Tue, May 31, 2011 at 11:42 AM, Rich Megginson rmeggins@redhat.comwrote:
On 05/30/2011 08:32 AM, Albert Teh wrote:
Hi Rich,
I followed the Guide and still got the same result. Checked with the AD administrator, the AD's user: mailadm has a full privilege.
/usr/bin/ldapsearch -x -w - -D cn="Directory Manager"-b "ou=People,dc=algonquincollege,dc=com" "(|(objectclass=ntuser)(objectclass=ntgroup))"
How many entries match that search?
Thanks. Albert
Here is the Windows Sync Agreement info:
[root@algldap slapd-algldap]# /usr/lib/mozldap/ldapsearch -w - -D cn="Directory Manager" -b cn=config cn=ADSync Enter bind password: version: 1 dn: cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,c n=config objectClass: top objectClass: nsDSWindowsReplicationAgreement description: AD Sync Agreement cn: ADSync nsds7WindowsReplicaSubtree: cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=co m nsds7DirectoryReplicaSubtree: ou=People, dc=algonquincollege,dc=com nsds7NewWinUserSyncEnabled: on nsds7NewWinGroupSyncEnabled: on nsds7WindowsDomain: ottawa.ad.algonquincollege.com nsDS5ReplicaRoot: dc=algonquincollege,dc=com nsDS5ReplicaHost: wodcstage-1.ottawa.ad.algonquincollege.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc =com nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicaCredentials: {DES}U68ooQM3C15xjJ/taDmy0A== nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20110530141648Z nsds5replicaLastUpdateEnd: 20110530141648Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20110530140648Z nsds5replicaLastInitEnd: 20110530140648Z nsds5replicaLastInitStatus: 0 Total update succeeded [root@algldap slapd-algldap]#
On Fri, May 27, 2011 at 10:57 AM, Rich Megginson rmeggins@redhat.comwrote:
On 05/27/2011 04:22 AM, Albert Teh wrote:
Hi Rich,
I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync set as fromWindows in the multimaster replication plugin. I still got the same result with no user created in the DS subtree.
Have you read http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/A...
Errors log:
[27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". Sent 0 entries.
Access log:
[27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101 nentries=1 etime=
Thanks for your help.
Albert
On Thu, May 26, 2011 at 11:13 AM, Rich Megginson rmeggins@redhat.comwrote:
On 05/26/2011 08:58 AM, Albert Teh wrote:
Hi,
We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt to synchronize with the existing 2003 Windows AD server. Performing the full sync completed. There is no user created in the DS subtree.
We would like to perform one way Sync: AD ----> DS. Once it works, we will set up the password Sync from the AD to DS.
One way sync isn't supported with 8.1.0. I suggest using 389-ds-base 1.2.8.3 from EPEL5 which does support one way sync. http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
AD: cn=Users,cn=location,dc=ad,dc=domain,dc=com DS: ou=Peoples,dc=domain,dc=com
errors log:
[26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries.
access log:
26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1 etime=0
Thanks. Albert
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
-- Albert Teh Email: Teh.Albert@Gmail.com
-- Albert Teh Email: Teh.Albert@Gmail.com
On 05/31/2011 10:30 AM, Albert Teh wrote:
HI Rich,
[root@algldap ~]# /usr/lib/mozldap/ldapsearch -x -w - -D cn="Directory Manager" -b "ou=People,dc=algonquincollege,dc=com" "(|(objectclass=ntuser)(objectclass=ntgroup))" Enter bind password: [root@algldap ~]#
No Entry found !!!.
You have to tell directory server which entries you want to sync. See http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/A...
Thanks. Albert
On Tue, May 31, 2011 at 11:42 AM, Rich Megginson <rmeggins@redhat.com mailto:rmeggins@redhat.com> wrote:
On 05/30/2011 08:32 AM, Albert Teh wrote:
Hi Rich, I followed the Guide and still got the same result. Checked with the AD administrator, the AD's user: mailadm has a full privilege.
/usr/bin/ldapsearch -x -w - -D cn="Directory Manager"-b "ou=People,dc=algonquincollege,dc=com" "(|(objectclass=ntuser)(objectclass=ntgroup))" How many entries match that search?
Thanks. Albert Here is the Windows Sync Agreement info: [root@algldap slapd-algldap]# /usr/lib/mozldap/ldapsearch -w - -D cn="Directory Manager" -b cn=config cn=ADSync Enter bind password: version: 1 dn: cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,c n=config objectClass: top objectClass: nsDSWindowsReplicationAgreement description: AD Sync Agreement cn: ADSync nsds7WindowsReplicaSubtree: cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=co m nsds7DirectoryReplicaSubtree: ou=People, dc=algonquincollege,dc=com nsds7NewWinUserSyncEnabled: on nsds7NewWinGroupSyncEnabled: on nsds7WindowsDomain: ottawa.ad.algonquincollege.com <http://ottawa.ad.algonquincollege.com> nsDS5ReplicaRoot: dc=algonquincollege,dc=com nsDS5ReplicaHost: wodcstage-1.ottawa.ad.algonquincollege.com <http://wodcstage-1.ottawa.ad.algonquincollege.com> nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc =com nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicaCredentials: {DES}U68ooQM3C15xjJ/taDmy0A== nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20110530141648Z nsds5replicaLastUpdateEnd: 20110530141648Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20110530140648Z nsds5replicaLastInitEnd: 20110530140648Z nsds5replicaLastInitStatus: 0 Total update succeeded [root@algldap slapd-algldap]# On Fri, May 27, 2011 at 10:57 AM, Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> wrote: On 05/27/2011 04:22 AM, Albert Teh wrote:
Hi Rich, I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync set as fromWindows in the multimaster replication plugin. I still got the same result with no user created in the DS subtree.
Have you read http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
Errors log: [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADSync" (wodcstage-1:389)". Sent 0 entries. Access log: [27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101 nentries=1 etime= Thanks for your help. Albert On Thu, May 26, 2011 at 11:13 AM, Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> wrote: On 05/26/2011 08:58 AM, Albert Teh wrote:
Hi, We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt to synchronize with the existing 2003 Windows AD server. Performing the full sync completed. There is no user created in the DS subtree. We would like to perform one way Sync: AD ----> DS. Once it works, we will set up the password Sync from the AD to DS.
One way sync isn't supported with 8.1.0. I suggest using 389-ds-base 1.2.8.3 from EPEL5 which does support one way sync. http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
AD: cn=Users,cn=location,dc=ad,dc=domain,dc=com DS: ou=Peoples,dc=domain,dc=com errors log: [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries. access log: 26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1 etime=0 Thanks. Albert -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users
-- Albert Teh Email: Teh.Albert@Gmail.com <mailto:Teh.Albert@Gmail.com>
-- Albert Teh Email: Teh.Albert@Gmail.com <mailto:Teh.Albert@Gmail.com>
-- Albert Teh Email: Teh.Albert@Gmail.com
389-users@lists.fedoraproject.org