OK. 1. I have win2016 AD and 389ds 1.3.8.4 on CentOS 7.6 2. the data flow is from AD to 389ds, I don't want any data from 389ds to AD 3. The time interval sync from 389ds to AD controlled by nsDS5ReplicaUpdateSchedule. This is why I set it as 1200-1210 4 (actually I want to disable it at all) 4. The time interval sync from AD to 389ds controlled by WinSyncInterval, it's 5 minutes default. But I can't find any error log on my 389ds server, the sync doesn't happen.
Sincerely, -- DaV On Tue, Aug 27, 2019, at 08:54, William Brown wrote: > > > > On 27 Aug 2019, at 10:44, DaV <snow...@gmail.com> wrote: > > > > Thanks for your reply. > > This is my configuration on 389ds server. > > Please tell me if the attribute of "oneWaySync: fromWindows" is correct. > > > > Now, the new users in AD can't be synced to 389ds every 5 minutes, I have > > to click "Initiate full Re-synchronized" manually. I'm stuck for days. > > I think they are *not* syncing because your schedule is: > > >> > >> nsDS5ReplicaUpdateSchedule: 1200-1210 4 > >> > >> nsDS5ReplicaUpdateSchedule: 1211-1220 4 > >> > > This translates to "between 12:00 and 12:10 on thursday" and "between > 12:11 and 12:20 on thursday.". > > IE you are syncing for a 10 minute window once a week, rather than > every five minutes all the time. > > You probably want something more like: > > nsDS5ReplicaUpdateSchedule : 0000-2359 0123456 > > If you want to sync all the time. > > I think I'm a bit confused about the "bigger picture" of what you are > trying to achieve here. Can you please describe: > > * Your servers (AD, ldap etc) > * How you want the data to flow > * When you want the data to flow > > Just describe, we don't need to see configs. I think that is really > going to help us think through answers to your questions. > > > > > > > Sincerely, > > -- > > DaV > > > > > > > > > > On Tue, Aug 27, 2019, at 02:18, Mark Reynolds wrote: > >> > >> > >> On 8/23/19 5:38 AM, DaV wrote: > >>> Hi all, > >>> For OneWaySync, AD to 389ds. > >>> > >>> I have read this guide > >>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/using_windows_sync-modifying_the_sync_agreement > >>> > >>>> Synchronization works two ways. The Directory Server sends its updates > >>>> to Active Directory on a configurable schedule, similar to replication, > >>>> using the nsds5replicaupdatescheduleattribute. The Directory Server > >>>> polls the Active Directory to check for changes; the frequency that it > >>>> checks the Active Directory server is set in the winSyncInterval > >>>> attribute. > >>>> By default, the Directory Server update schedule is to always be in > >>>> sync. The Active Directory interval is to poll the Active Directory > >>>> every five minutes. > >>>> To change the schedule the Directory Server uses to send its updates to > >>>> the Active Directory, edit the nsds5replicaupdateschedule attribute. The > >>>> schedule is set with start (SSSS) and end (EEEE) times in the form HHMM, > >>>> using a 24-hour clock. The days to schedule sync updates are use ranging > >>>> from 0 (Sunday) to 6 (Saturday). > >>> > >>> I want to know how to disable the nsds5replicaupdateschedule attribute. > >>> Because I just want sync from AD to 389ds. > >> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#Replication_Attributes_under_cnReplicationAgreementName_cnreplica_cnsuffixName_cnmapping_tree_cnconfig-nsDS5ReplicaUpdateSchedule > >> > >> You can set it to "0000-0001 0" to disable synchronizing according to the > >> link above > >> > >> > >> > >>> Thanks in advance! > >>> > >>> Sincerely, > >>> -- > >>> DaV > >>> > >>> On Fri, Aug 23, 2019, at 08:18, DaV wrote: > >>> > Hi William, > >>> > Thanks for your reply. > >>> > > >>> > Sorry for incorrect message yesterday. > >>> > My windows sync agreement exactly is: > >>> > > >>> > agreement1: > >>> > >> DS Host: 389ds:389 > >>> > > >> Windows Host: dc01.example.com:389 > >>> > > >> DS Subtree: ou=Users,dc=example,dc=com > >>> > > >> Windows Subtree: ou=ou1,OU=Accounts, DC=example,DC=com > >>> > > >> Replicated subtree: dc=example,dc=com > >>> > > >>> > agreement2: > >>> > >> DS Host: 389ds:389 > >>> > > >> Windows Host: dc01.example.com:389 > >>> > > >> DS Subtree: ou=Users,dc=example,dc=com > >>> > > >> Windows Subtree: ou=ou2,OU=Accounts, DC=example,DC=com > >>> > > >> Replicated subtree: dc=example,dc=com > >>> > > >>> > > >>> > The windows AD has two OUs, and I want the two OUs are synced to the > >>> > same ou(ou=users,dc=example,dc=com) in 389ds server. > >>> > Maybe you would say I can create two same OUs in 389ds first and then > >>> > create the sync agreement. But I don't want this because I want all > >>> > accounts under the same ou in 389ds(no sub-ou). > >>> > > >>> > > >>> > I have another question about this issue. > >>> > After the two sync agreements created, I create a new user on AD side, > >>> > after 5 minutes(default), nothing happens, the account hasn't been > >>> > synced to 389ds correctly. I must click the "Initiate full > >>> > Re-syncronization" to sync the account info, and then change account > >>> > password on AD side manually so that the passsync can sync the > >>> > password. > >>> > > >>> > >My concern is moving an account from ou1 to ou2 and how > >>> > > that would work (or break). > >>> > Because the digestion is same OU in 389ds, so move an account from ou1 > >>> > to ou2 on AD side, nothing happens . > >>> > > >>> > > >>> > Another issue is : > >>> > OnewaySync > >>> > I want all data flow is AD to 389ds. > >>> > I have configured the OnewaySync followed this link > >>> > https://directory.fedoraproject.org/docs/389ds/howto/howto-one-way-active-directory-sync.html > >>> > for every sync agreement, I add one line > >>> > oneWaySync: fromWindows > >>> > > >>> > > >>> > The error message /var/log/dirsrv/slapd-INSTANCE/errors like this: > >>> > [23/Aug/2019:08:14:58.033989856 +0800] - WARN - NSMMReplicationPlugin - > >>> > windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389): > >>> > Replica has no update vector. It has never been initialized. > >>> > [23/Aug/2019:08:15:01.071494645 +0800] - WARN - NSMMReplicationPlugin - > >>> > windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389): > >>> > Replica has no update vector. It has never been initialized. > >>> > > >>> > I don't want the sync agreement to be bi-directional. So how to resolve > >>> > this error message. > >>> > Thanks in advance! > >>> > > >>> > > >>> > Sincerely, > >>> > -- > >>> > DaV > >>> > > >>> > On Fri, Aug 23, 2019, at 07:38, William Brown wrote: > >>> > > > >>> > > > >>> > > > On 21 Aug 2019, at 22:10, DaV <snow...@gmail.com> wrote: > >>> > > > > >>> > > > Hi guys, > >>> > > > Just update for this issue. > >>> > > > > >>> > > > Finally, I create multi windows sync agreement for each OU to sync > >>> > > > the user account. > >>> > > > like this: > >>> > > > > >>> > > >> DS Host: 389ds:389 > >>> > > >> Windows Host: dc01.example.com:389 > >>> > > >> DS Subtree: ou=ou1,ou=Users,dc=example,dc=com > >>> > > >> Windows Subtree: OU=Accounts, DC=example,DC=com > >>> > > >> Replicated subtree: dc=example,dc=com > >>> > > > > >>> > > >> DS Host: 389ds:389 > >>> > > >> Windows Host: dc01.example.com:389 > >>> > > >> DS Subtree: ou=ou2,ou=Users,dc=example,dc=com > >>> > > >> Windows Subtree: OU=Accounts, DC=example,DC=com > >>> > > >> Replicated subtree: dc=example,dc=com > >>> > > > So the user account sync is done. > >>> > > > > >>> > > > For password sync, now I can't sync user's password with an " > >>> > > > Initiate full Re-syncronization". I must reset all users > >>> > > > one-by-one on AD server to sync the password. This is not > >>> > > > convenient. > >>> > > > > >>> > > > Do you have any advice? > >>> > > > > >>> > > > >>> > > I think Mark is the person who knows the most about this. I agree > >>> > > your > >>> > > solution isn't really optimal here so I totally get you wanting to > >>> > > improve this. My concern is moving an account from ou1 to ou2 and how > >>> > > that would work (or break). > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > > >>> > > > This is the log info: > >>> > > >> [21/Aug/2019:08:56:57.876105371 +0800] - ERR - > >>> > > >> NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning > >>> > > >> total update of replica "agmt="cn=chuxun" (tc-dc-2:389)". > >>> > > >> [21/Aug/2019:08:56:58.546297794 +0800] - ERR - > >>> > > >> NSMMReplicationPlugin - windows sync - windows_process_total_add - > >>> > > >> agmt="cn=chuxun" (tc-dc-2:389) - Cannot replay add operation. > >>> > > >> [21/Aug/2019:08:56:58.575112136 +0800] - ERR - > >>> > > >> NSMMReplicationPlugin - windows sync - bind_and_check_pwp - > >>> > > >> agmt="cn=chuxun" (tc-dc-2:389): Replication bind with SIMPLE auth > >>> > > >> resumed > >>> > > >> [21/Aug/2019:08:56:58.577280706 +0800] - WARN - > >>> > > >> NSMMReplicationPlugin - windows sync - windows_inc_run - > >>> > > >> agmt="cn=chuxun" (tc-dc-2:389): Replica has no update vector. It > >>> > > >> has never been initialized. > >>> > > >> [21/Aug/2019:08:56:58.579569199 +0800] - WARN - > >>> > > >> NSMMReplicationPlugin - windows sync - windows_inc_run - > >>> > > >> agmt="cn=chuxun" (tc-dc-2:389): Replica has no update vector. It > >>> > > >> has never been initialized. > >>> > > >> [21/Aug/2019:08:56:59.581808252 +0800] - WARN - > >>> > > >> NSMMReplicationPlugin - windows sync - windows_inc_run - > >>> > > >> agmt="cn=wangxun" (tc-dc-2:389): Replica has no update vector. It > >>> > > >> has never been initialized. > >>> > > > > >>> > > > Sincerely, > >>> > > > -- > >>> > > > DaV > >>> > > > > >>> > > > > >>> > > > > >>> > > > > >>> > > > On Tue, Aug 20, 2019, at 09:28, DaV wrote: > >>> > > >> Hi all, > >>> > > >> I'm using a new 389 directory server on CentOS 7.6 with > >>> > > >> 389-ds-base.x86_64 (1.3.8.4-15.el7), and I want to sync user and > >>> > > >> password from Windows 2016 to 389ds one way. > >>> > > >> The Synchronization Agreement like this: > >>> > > >> DS Host: 389ds:389 > >>> > > >> Windows Host: dc01.example.com:389 > >>> > > >> DS Subtree: ou=Users,dc=example,dc=com > >>> > > >> Windows Subtree: OU=Accounts, DC=example,DC=com > >>> > > >> Replicated subtree: dc=example,dc=com > >>> > > >> > >>> > > >> Here is my question: > >>> > > >> The sync agreement can only sync top-level OU=Accounts, > >>> > > >> DC=example, DC=com from Win2016 to 389ds server. > >>> > > >> In fact, I have > >>> > > >> ou=ou1,ou=accounts,dc=example,dc=com > >>> > > >> ou=ou2,ou=accounts,dc=example,dc=com > >>> > > >> on Win2016 server. > >>> > > >> I want the sync agreement can sync not only the top-level but also > >>> > > >> the child ou. > >>> > > >> > >>> > > >> This is the error log for your reference. Thanks! > >>> > > >>> [20/Aug/2019:07:58:40.307031692 +0800] - ERR - > >>> > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - > >>> > > >>> Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)". > >>> > > >>> [20/Aug/2019:07:58:40.309113230 +0800] - INFO - slapd_daemon - > >>> > > >>> slapd started. Listening on All Interfaces port 389 for LDAP > >>> > > >>> requests > >>> > > >>> [20/Aug/2019:08:34:21.730939271 +0800] - WARN - > >>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run - > >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It > >>> > > >>> has never been initialized. > >>> > > >>> [20/Aug/2019:08:34:21.733526550 +0800] - WARN - > >>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run - > >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It > >>> > > >>> has never been initialized. > >>> > > >>> [20/Aug/2019:08:34:24.735819391 +0800] - WARN - > >>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run - > >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It > >>> > > >>> has never been initialized. > >>> > > >>> [20/Aug/2019:08:34:27.738228528 +0800] - WARN - > >>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run - > >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It > >>> > > >>> has never been initialized. > >>> > > >>> [20/Aug/2019:08:34:30.873896680 +0800] - ERR - > >>> > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - > >>> > > >>> Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)". > >>> > > >>> [20/Aug/2019:08:34:33.170822223 +0800] - ERR - > >>> > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Finished > >>> > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 > >>> > > >>> entries. > >>> > > >>> [20/Aug/2019:08:34:33.186359842 +0800] - ERR - > >>> > > >>> NSMMReplicationPlugin - windows sync - bind_and_check_pwp - > >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth > >>> > > >>> resumed > >>> > > >>> [20/Aug/2019:08:47:30.032935119 +0800] - ERR - > >>> > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - > >>> > > >>> Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)". > >>> > > >>> [20/Aug/2019:08:47:31.035850854 +0800] - ERR - > >>> > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Finished > >>> > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 > >>> > > >>> entries. > >>> > > >>> [20/Aug/2019:08:47:31.051614890 +0800] - ERR - > >>> > > >>> NSMMReplicationPlugin - windows sync - bind_and_check_pwp - > >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth > >>> > > >>> resumed > >>> > > >>> [20/Aug/2019:08:50:59.533268105 +0800] - WARN - > >>> > > >>> NSMMReplicationPlugin - prot_stop - Incremental protocol for > >>> > > >>> replica "agmt="cn=389ds" (tc-dc-2:389)" did not shut down > >>> > > >>> properly. > >>> > > >>> [20/Aug/2019:09:01:00.155477769 +0800] - WARN - > >>> > > >>> NSMMReplicationPlugin - prot_stop - Total protocol for replica > >>> > > >>> "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly. > >>> > > >> > >>> > > >> > >>> > > >> Sincerely, > >>> > > >> -- > >>> > > >> DaV > >>> > > >> > >>> > > >> > >>> > > >> > >>> > > > > >>> > > > _______________________________________________ > >>> > > > 389-users mailing list -- 389-users@lists.fedoraproject.org > >>> > > > To unsubscribe send an email to > >>> > > > 389-users-le...@lists.fedoraproject.org > >>> > > > Fedora Code of Conduct: > >>> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> > > > List Guidelines: > >>> > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> > > > List Archives: > >>> > > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>> > > > >>> > > — > >>> > > Sincerely, > >>> > > > >>> > > William Brown > >>> > > > >>> > > Senior Software Engineer, 389 Directory Server > >>> > > SUSE Labs > >>> > > _______________________________________________ > >>> > > 389-users mailing list -- 389-users@lists.fedoraproject.org > >>> > > To unsubscribe send an email to > >>> > > 389-users-le...@lists.fedoraproject.org > >>> > > Fedora Code of Conduct: > >>> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> > > List Guidelines: > >>> > > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> > > List Archives: > >>> > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>> > > > >>> > _______________________________________________ > >>> > 389-users mailing list -- 389-users@lists.fedoraproject.org > >>> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > >>> > Fedora Code of Conduct: > >>> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> > List Archives: > >>> > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>> > > >>> > >>> _______________________________________________ > >>> 389-users mailing list -- > >>> 389-users@lists.fedoraproject.org > >>> > >>> To unsubscribe send an email to > >>> 389-users-le...@lists.fedoraproject.org > >>> > >>> Fedora Code of Conduct: > >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> > >>> List Guidelines: > >>> https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> > >>> List Archives: > >>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>> > >> -- > >> > >> 389 Directory Server Development Team > >> > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs > > _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org