In fact, if I don't set nsds5replicaupdateschedule attribute, the sync from
389ds to AD is always trying.
So I have to set this attribute.
For sync from AD to 389ds, default it's 5 minutes according to 389ds/RHDS
documents, but it happens nothing on my instance, no log. I have to click the
"Initiate full Re-synchronization" on the console to sync from AD to 389ds.
Sincerely,
--
DaV
On Mon, Aug 26, 2019, at 06:58, William Brown wrote:
>
>
> > On 23 Aug 2019, at 19:38, DaV <snow...@gmail.com> wrote:
> >
> > Hi all,
> > For OneWaySync, AD to 389ds.
> >
> > I have read this guide
> > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/using_windows_sync-modifying_the_sync_agreement
> >
> >> Synchronization works two ways. The Directory Server sends its updates to
> >> Active Directory on a configurable schedule, similar to replication, using
> >> the nsds5replicaupdateschedule attribute. The Directory Server polls the
> >> Active Directory to check for changes; the frequency that it checks the
> >> Active Directory server is set in the winSyncInterval attribute.
> >> By default, the Directory Server update schedule is to always be in sync.
> >> The Active Directory interval is to poll the Active Directory every five
> >> minutes.
> >> To change the schedule the Directory Server uses to send its updates to
> >> the Active Directory, edit the nsds5replicaupdateschedule attribute. The
> >> schedule is set with start (SSSS) and end (EEEE) times in the form HHMM,
> >> using a 24-hour clock. The days to schedule sync updates are use ranging
> >> from 0 (Sunday) to 6 (Saturday).
> >
> > I want to know how to disable the nsds5replicaupdateschedule attribute.
> > Because I just want sync from AD to 389ds.
> > Thanks in advance!
>
> If you don't have the replica update schedule set, the replication will
> occur "when needed" aka when changes occur. Does that help?
>
> >
> > Sincerely,
> > --
> > DaV
> >
> > On Fri, Aug 23, 2019, at 08:18, DaV wrote:
> > > Hi William,
> > > Thanks for your reply.
> > >
> > > Sorry for incorrect message yesterday.
> > > My windows sync agreement exactly is:
> > >
> > > agreement1:
> > > >> DS Host: 389ds:389
> > > > >> Windows Host: dc01.example.com:389
> > > > >> DS Subtree: ou=Users,dc=example,dc=com
> > > > >> Windows Subtree: ou=ou1,OU=Accounts, DC=example,DC=com
> > > > >> Replicated subtree: dc=example,dc=com
> > >
> > > agreement2:
> > > >> DS Host: 389ds:389
> > > > >> Windows Host: dc01.example.com:389
> > > > >> DS Subtree: ou=Users,dc=example,dc=com
> > > > >> Windows Subtree: ou=ou2,OU=Accounts, DC=example,DC=com
> > > > >> Replicated subtree: dc=example,dc=com
> > >
> > >
> > > The windows AD has two OUs, and I want the two OUs are synced to the
> > > same ou(ou=users,dc=example,dc=com) in 389ds server.
> > > Maybe you would say I can create two same OUs in 389ds first and then
> > > create the sync agreement. But I don't want this because I want all
> > > accounts under the same ou in 389ds(no sub-ou).
> > >
> > >
> > > I have another question about this issue.
> > > After the two sync agreements created, I create a new user on AD side,
> > > after 5 minutes(default), nothing happens, the account hasn't been
> > > synced to 389ds correctly. I must click the "Initiate full
> > > Re-syncronization" to sync the account info, and then change account
> > > password on AD side manually so that the passsync can sync the
> > > password.
> > >
> > > >My concern is moving an account from ou1 to ou2 and how
> > > > that would work (or break).
> > > Because the digestion is same OU in 389ds, so move an account from ou1
> > > to ou2 on AD side, nothing happens .
> > >
> > >
> > > Another issue is :
> > > OnewaySync
> > > I want all data flow is AD to 389ds.
> > > I have configured the OnewaySync followed this link
> > > https://directory.fedoraproject.org/docs/389ds/howto/howto-one-way-active-directory-sync.html
> > > for every sync agreement, I add one line
> > > oneWaySync: fromWindows
> > >
> > >
> > > The error message /var/log/dirsrv/slapd-INSTANCE/errors like this:
> > > [23/Aug/2019:08:14:58.033989856 +0800] - WARN - NSMMReplicationPlugin -
> > > windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389):
> > > Replica has no update vector. It has never been initialized.
> > > [23/Aug/2019:08:15:01.071494645 +0800] - WARN - NSMMReplicationPlugin -
> > > windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389):
> > > Replica has no update vector. It has never been initialized.
> > >
> > > I don't want the sync agreement to be bi-directional. So how to resolve
> > > this error message.
> > > Thanks in advance!
> > >
> > >
> > > Sincerely,
> > > --
> > > DaV
> > >
> > > On Fri, Aug 23, 2019, at 07:38, William Brown wrote:
> > > >
> > > >
> > > > > On 21 Aug 2019, at 22:10, DaV <snow...@gmail.com> wrote:
> > > > >
> > > > > Hi guys,
> > > > > Just update for this issue.
> > > > >
> > > > > Finally, I create multi windows sync agreement for each OU to sync
> > > > > the user account.
> > > > > like this:
> > > > >
> > > > >> DS Host: 389ds:389
> > > > >> Windows Host: dc01.example.com:389
> > > > >> DS Subtree: ou=ou1,ou=Users,dc=example,dc=com
> > > > >> Windows Subtree: OU=Accounts, DC=example,DC=com
> > > > >> Replicated subtree: dc=example,dc=com
> > > > >
> > > > >> DS Host: 389ds:389
> > > > >> Windows Host: dc01.example.com:389
> > > > >> DS Subtree: ou=ou2,ou=Users,dc=example,dc=com
> > > > >> Windows Subtree: OU=Accounts, DC=example,DC=com
> > > > >> Replicated subtree: dc=example,dc=com
> > > > > So the user account sync is done.
> > > > >
> > > > > For password sync, now I can't sync user's password with an "
> > > > > Initiate full Re-syncronization". I must reset all users one-by-one
> > > > > on AD server to sync the password. This is not convenient.
> > > > >
> > > > > Do you have any advice?
> > > > >
> > > >
> > > > I think Mark is the person who knows the most about this. I agree your
> > > > solution isn't really optimal here so I totally get you wanting to
> > > > improve this. My concern is moving an account from ou1 to ou2 and how
> > > > that would work (or break).
> > > >
> > > >
> > > >
> > > >
> > > > >
> > > > > This is the log info:
> > > > >> [21/Aug/2019:08:56:57.876105371 +0800] - ERR - NSMMReplicationPlugin
> > > > >> - windows sync - windows_tot_run - Beginning total update of replica
> > > > >> "agmt="cn=chuxun" (tc-dc-2:389)".
> > > > >> [21/Aug/2019:08:56:58.546297794 +0800] - ERR - NSMMReplicationPlugin
> > > > >> - windows sync - windows_process_total_add - agmt="cn=chuxun"
> > > > >> (tc-dc-2:389) - Cannot replay add operation.
> > > > >> [21/Aug/2019:08:56:58.575112136 +0800] - ERR - NSMMReplicationPlugin
> > > > >> - windows sync - bind_and_check_pwp - agmt="cn=chuxun"
> > > > >> (tc-dc-2:389): Replication bind with SIMPLE auth resumed
> > > > >> [21/Aug/2019:08:56:58.577280706 +0800] - WARN -
> > > > >> NSMMReplicationPlugin - windows sync - windows_inc_run -
> > > > >> agmt="cn=chuxun" (tc-dc-2:389): Replica has no update vector. It has
> > > > >> never been initialized.
> > > > >> [21/Aug/2019:08:56:58.579569199 +0800] - WARN -
> > > > >> NSMMReplicationPlugin - windows sync - windows_inc_run -
> > > > >> agmt="cn=chuxun" (tc-dc-2:389): Replica has no update vector. It has
> > > > >> never been initialized.
> > > > >> [21/Aug/2019:08:56:59.581808252 +0800] - WARN -
> > > > >> NSMMReplicationPlugin - windows sync - windows_inc_run -
> > > > >> agmt="cn=wangxun" (tc-dc-2:389): Replica has no update vector. It
> > > > >> has never been initialized.
> > > > >
> > > > > Sincerely,
> > > > > --
> > > > > DaV
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Tue, Aug 20, 2019, at 09:28, DaV wrote:
> > > > >> Hi all,
> > > > >> I'm using a new 389 directory server on CentOS 7.6 with
> > > > >> 389-ds-base.x86_64 (1.3.8.4-15.el7), and I want to sync user and
> > > > >> password from Windows 2016 to 389ds one way.
> > > > >> The Synchronization Agreement like this:
> > > > >> DS Host: 389ds:389
> > > > >> Windows Host: dc01.example.com:389
> > > > >> DS Subtree: ou=Users,dc=example,dc=com
> > > > >> Windows Subtree: OU=Accounts, DC=example,DC=com
> > > > >> Replicated subtree: dc=example,dc=com
> > > > >>
> > > > >> Here is my question:
> > > > >> The sync agreement can only sync top-level OU=Accounts, DC=example,
> > > > >> DC=com from Win2016 to 389ds server.
> > > > >> In fact, I have
> > > > >> ou=ou1,ou=accounts,dc=example,dc=com
> > > > >> ou=ou2,ou=accounts,dc=example,dc=com
> > > > >> on Win2016 server.
> > > > >> I want the sync agreement can sync not only the top-level but also
> > > > >> the child ou.
> > > > >>
> > > > >> This is the error log for your reference. Thanks!
> > > > >>> [20/Aug/2019:07:58:40.307031692 +0800] - ERR -
> > > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning
> > > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)".
> > > > >>> [20/Aug/2019:07:58:40.309113230 +0800] - INFO - slapd_daemon -
> > > > >>> slapd started. Listening on All Interfaces port 389 for LDAP
> > > > >>> requests
> > > > >>> [20/Aug/2019:08:34:21.730939271 +0800] - WARN -
> > > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run -
> > > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has
> > > > >>> never been initialized.
> > > > >>> [20/Aug/2019:08:34:21.733526550 +0800] - WARN -
> > > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run -
> > > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has
> > > > >>> never been initialized.
> > > > >>> [20/Aug/2019:08:34:24.735819391 +0800] - WARN -
> > > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run -
> > > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has
> > > > >>> never been initialized.
> > > > >>> [20/Aug/2019:08:34:27.738228528 +0800] - WARN -
> > > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run -
> > > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has
> > > > >>> never been initialized.
> > > > >>> [20/Aug/2019:08:34:30.873896680 +0800] - ERR -
> > > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning
> > > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)".
> > > > >>> [20/Aug/2019:08:34:33.170822223 +0800] - ERR -
> > > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Finished
> > > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5
> > > > >>> entries.
> > > > >>> [20/Aug/2019:08:34:33.186359842 +0800] - ERR -
> > > > >>> NSMMReplicationPlugin - windows sync - bind_and_check_pwp -
> > > > >>> agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth
> > > > >>> resumed
> > > > >>> [20/Aug/2019:08:47:30.032935119 +0800] - ERR -
> > > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning
> > > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)".
> > > > >>> [20/Aug/2019:08:47:31.035850854 +0800] - ERR -
> > > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Finished
> > > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5
> > > > >>> entries.
> > > > >>> [20/Aug/2019:08:47:31.051614890 +0800] - ERR -
> > > > >>> NSMMReplicationPlugin - windows sync - bind_and_check_pwp -
> > > > >>> agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth
> > > > >>> resumed
> > > > >>> [20/Aug/2019:08:50:59.533268105 +0800] - WARN -
> > > > >>> NSMMReplicationPlugin - prot_stop - Incremental protocol for
> > > > >>> replica "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly.
> > > > >>> [20/Aug/2019:09:01:00.155477769 +0800] - WARN -
> > > > >>> NSMMReplicationPlugin - prot_stop - Total protocol for replica
> > > > >>> "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly.
> > > > >>
> > > > >>
> > > > >> Sincerely,
> > > > >> --
> > > > >> DaV
> > > > >>
> > > > >>
> > > > >>
> > > > >
> > > > > _______________________________________________
> > > > > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > > > > To unsubscribe send an email to
> > > > > 389-users-le...@lists.fedoraproject.org
> > > > > Fedora Code of Conduct:
> > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines:
> > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > > >
> > > > —
> > > > Sincerely,
> > > >
> > > > William Brown
> > > >
> > > > Senior Software Engineer, 389 Directory Server
> > > > SUSE Labs
> > > > _______________________________________________
> > > > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > > > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > > > Fedora Code of Conduct:
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > > >
> > > _______________________________________________
> > > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > >
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
>
>
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org