Hi,
I'm having problems with syncing groups from 389 to AD. I wrote about this earlier but made some more testing.
Using the latest EPEL6 stable: 389-ds-base-1.2.10.12-1.el6.x86_64 389-ds-1.2.2-1.el6.noarch
AD: 2008 R2 64-bit
======== Group description # testgroup, People, domain.com dn: cn=testgroup,ou=People,dc=domain,dc=com ntGroupCreateNewGroup: on description: testroup objectClass: top objectClass: groupofuniquenames objectClass: ntgroup uniqueMember: uid=user1,ou=People,dc=domain,dc=com ntUserDomainId: testgroup =========== Replication log snippet follows: NSMMReplicationPlugin - agmt="cn=adtestsync" (adtest:636): windows_replay_update: Processing add operation local dn="cn=testgroup,ou=People,dc=domain,dc=com" remote dn="cn=testgroup,cn=Users,dc=domain,dc=com"
NSMMReplicationPlugin - agmt="cn=adtestsync" (adtest:636): process_replay_add: dn="cn=testgroup,cn=Users,dc=domain,dc=com" (not present,add not allowed) =============
Group sync works correctly when I initiate manual Full resync. This means AD sync user must have proper permissions.
Bottom line, incremental group sync doesn't work. Only clue is that log message "not present,add not allowed". Any ideas or some known bug?
-Mr. Vesa Alho
On 02/28/2013 04:05 AM, Vesa Alho wrote:
Hi,
I'm having problems with syncing groups from 389 to AD. I wrote about this earlier but made some more testing.
Using the latest EPEL6 stable: 389-ds-base-1.2.10.12-1.el6.x86_64 389-ds-1.2.2-1.el6.noarch
AD: 2008 R2 64-bit
======== Group description # testgroup, People, domain.com dn: cn=testgroup,ou=People,dc=domain,dc=com ntGroupCreateNewGroup: on
The value should be TRUE
Looks like we have a doc bug. https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/...
12.4.4.1. Configuring Group Sync in the Console The Console UI section says to use a value of "on". This is wrong.
12.4.4.2. Configuring Group Sync in the Command Line This says to use a value of "true". This will work, although it should be "TRUE".
And the command line docs should use - in the LDIF to separate each mod.
Please file a bug.
description: testroup objectClass: top objectClass: groupofuniquenames objectClass: ntgroup uniqueMember: uid=user1,ou=People,dc=domain,dc=com ntUserDomainId: testgroup =========== Replication log snippet follows: NSMMReplicationPlugin - agmt="cn=adtestsync" (adtest:636): windows_replay_update: Processing add operation local dn="cn=testgroup,ou=People,dc=domain,dc=com" remote dn="cn=testgroup,cn=Users,dc=domain,dc=com"
NSMMReplicationPlugin - agmt="cn=adtestsync" (adtest:636): process_replay_add: dn="cn=testgroup,cn=Users,dc=domain,dc=com" (not present,add not allowed)
"add not allowed" - this means one or more of the following: *
=============
Group sync works correctly when I initiate manual Full resync. This means AD sync user must have proper permissions.
Bottom line, incremental group sync doesn't work. Only clue is that log message "not present,add not allowed". Any ideas or some known bug?
-Mr. Vesa Alho
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
The value should be TRUE
Looks like we have a doc bug. https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/...
12.4.4.1. Configuring Group Sync in the Console The Console UI section says to use a value of "on". This is wrong.
12.4.4.2. Configuring Group Sync in the Command Line This says to use a value of "true". This will work, although it should be "TRUE".
And the command line docs should use - in the LDIF to separate each mod.
Please file a bug.
Aaah, that did the trick! I had tried value "true" with lower letters, but not with capital letters. Thanks for helping out! Keep up the great work with 389ds.
BTW, can you fix the error in documentation or should I report it somewhere?
-Mr. Vesa Alho
On 02/28/2013 10:36 AM, Vesa Alho wrote:
The value should be TRUE
Looks like we have a doc bug. https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/...
12.4.4.1. Configuring Group Sync in the Console The Console UI section says to use a value of "on". This is wrong.
12.4.4.2. Configuring Group Sync in the Command Line This says to use a value of "true". This will work, although it should be "TRUE".
And the command line docs should use - in the LDIF to separate each mod.
Please file a bug.
Aaah, that did the trick! I had tried value "true" with lower letters,
"true" should work too. The code does a case-insensitive comparison.
but not with capital letters. Thanks for helping out! Keep up the great work with 389ds.
BTW, can you fix the error in documentation or should I report it somewhere?
Please file a ticket at https://fedorahosted.org/389/newticket - if you don't see a category that seems appropriate, just use Directory Server.
-Mr. Vesa Alho
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org