subject:"\[389\-users\] Windows Sync Agreement Help"

Re: [389-users] Windows Sync Agreement Help

2011-06-03 Thread Carsten Grzemba



- Ursprüngliche Nachricht -
Von: Rich Megginson 
Datum: Mittwoch, 1. Juni 2011, 18:05
Betreff: Re: [389-users] Windows Sync Agreement Help
An: Albert Teh 
Cc: "General discussion list for the 389 Directory server project." 
<389-users@lists.fedoraproject.org>




  

  


> 
On 06/01/2011 09:21 AM, Albert Teh wrote:


The user: mailadm should have a full privilege from
  the AD because we are using this user for SUN's IDSYNC
  synchronizing/passwdsyc from the AD to the SUN's DS which is our
  current LDAP environment. We are trying to change SUN's Directory
  server to the Linux's 389-Directory server.


No, its not true in general, Suns Idsync needs only a normal user, if you sync 
only from AD to DS. The user for Suns Idsync needs only additional privileges 
for see the 'deleted objects' container for syncing the object deletion. It do 
not use the dirsync ldap control where you need the Replication/Replicator 
rights

Regards, Carsten



> 
Ok.  I don't know how Sun's IDSYNC works - it is possible it doesn't
use the DirSync control which requires Replicator privileges.  Can
you confirm that
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" has
Replication/Replicator rights in AD/Windows?


  > 
> 
   
> 
  "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
  has Replication/Replicator rights in AD/Windows?

  > 
> 
  Thanks.
> 
  Albert

  > 

  > On Wed, Jun 1, 2011 at 10:12 AM, Rich
Megginson 
wrote:


  

  >  On 05/31/2011 06:30 PM, Albert Teh wrote:


  > 

  > On Tue, May 31, 2011 at 2:58
PM, Rich Megginson 
wrote:


  
>  On 05/31/2011 12:49 PM, Albert Teh wrote:

> Hi Rich,

  > 

  >  Sorry, What I understand doing the
OneWay Sync from the AD to the DS 

> 
> 
Users in the Active Directory domain are
synced if it is configured in the sync
agreement by selecting the Sync
New Windows Users option. All
of the Windows users are copied to the
Directory Server when synchronization is
initiated and then new users are synced over
when they are created. 

> 
> 
I do not need to do any AD to DS Group Sync

> 
> 
and I am not doing any DS sync to the AD.

  
> 
/usr/lib/mozldap/ldapsearch -x -h 
wodcstage-1.ottawa.ad.algonquincollege.com
-w - -D

"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
-s base -b "" "objectclass=*"

> 
> 
You should get the contents of the AD

> 
> 
/usr/lib/mozldap/ldapsearch -x -h 
wodcstage-1.ottawa.ad.algonquincollege.com
-w - -D

"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
-s sub -b
"cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
"objectclass=person"

> 
> 
you should get the list of users

  

> 

  > 
> 
  Thanks.
> 
  Al

  > 

  > On Tue, May 31,
2011 at 1:40 PM, Rich Megginson 

wrote:


  
>  On 05/31/2011 10:30 AM, Albert
  Teh wrote:
  
> 
HI Rich,

> 
> 
[root@algldap ~]#
/usr/lib/mozldap/ldapsearch -x
-

Re: [389-users] Windows Sync Agreement Help

2011-06-01 Thread Carsten Grzemba



- Ursprüngliche Nachricht -
Von: Albert Teh 
Datum: Mittwoch, 1. Juni 2011, 2:30
Betreff: Re: [389-users] Windows Sync Agreement Help
An: Rich Megginson 
Cc: "General discussion list for the 389 Directory server project." 
<389-users@lists.fedoraproject.org>

> 
> 
> On Tue, May 31, 2011 at 2:58 PM, Rich Megginson  wrote:




  

  
  > 
On 05/31/2011 12:49 PM, Albert Teh wrote:
> Hi Rich,

  > 
> 
  Sorry, What I understand doing the OneWay Sync from the AD to the
  DS 

  > 
> 
  Users in the Active Directory domain are synced if it is
  configured in the sync agreement by selecting the Sync New Windows Users
  option. All of the Windows users are copied to the Directory
  Server when synchronization is initiated and then new users are
  synced over when they are created. 

  > 
> 
  I do not need to do any AD to DS Group Sync

  > 
> 
  and I am not doing any DS sync to the AD.

> 
/usr/lib/mozldap/ldapsearch -x -h 
wodcstage-1.ottawa.ad.algonquincollege.com -w
- -D
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" -s
base -b "" "objectclass=*"

> 
> 
You should get the contents of the AD
This is a good test, but take a notice of that winsync use the dirsync ldap 
control which require additional priviledges on AD. This can tested with a 
python script of rich:

https://github.com/richm/scripts/blob/master/dirsyncctrl.py 

which need python an the ldap lib for python.

Regards Carsten


> 
> 
/usr/lib/mozldap/ldapsearch -x -h
wodcstage-1.ottawa.ad.algonquincollege.com -w - -D
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" -s
sub -b "cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
"objectclass=person"

> 
> 
you should get the list of users> 

> 

  > 
> 
  Thanks.
> 
  Al

  > 

  > On Tue, May 31, 2011 at 1:40 PM, Rich
Megginson 
wrote:


  
>  On 05/31/2011 10:30 AM, Albert Teh wrote:
  
> 
HI Rich,

> 
> 
[root@algldap ~]# /usr/lib/mozldap/ldapsearch -x -w - -D
cn="Directory Manager" -b
"ou=People,dc=algonquincollege,dc=com"
"(|(objectclass=ntuser)(objectclass=ntgroup))"
> 
Enter bind password:
> 
[root@algldap ~]#

> 
> 
No Entry found !!!.

  
> 
You have to tell directory server which entries you want to
sync.
> 
See 
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync

  

> 
  Thanks.
> 
  Albert

  > 

  > On Tue, May 31, 2011 at 11:42
AM, Rich Megginson 
wrote:


  
>  On 05/30/2011 08:32 AM, Albert Teh wrote:

> Hi Rich,

  > 

  >  I followed the Guide and still got the
same result. Checked with  the AD
administrator, the AD's user: mailadm has a
full privilege.

  
> 
/usr/bin/ldapsearch -x -w - -D cn="Directory
Manager"-b
"ou=People,dc=algonquincollege,dc=com"
"(|(objectclass=ntuser)(objectclass=ntgroup))"

> 
> 
How many entries match that search?

  

> 
> 
  Thanks.
> 
  Albert
> 
      
> 
  Here is the Windows Sync Agreement info:

  > 
> 
  [root@algldap slapd-algldap]#
  /usr/lib/mozldap/ldapsearch -w - -D
  cn="Directory Manager" -b cn=config
  cn=ADSync
> 
  Enter bind password:
> 
  version: 1
> 
  dn:
  
cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping

Re: [389-users] Windows Sync Agreement Help

2011-05-31 Thread Albert Teh

On Tue, May 31, 2011 at 2:58 PM, Rich Megginson  wrote:

>  On 05/31/2011 12:49 PM, Albert Teh wrote:
>
> Hi Rich,
>
> Sorry, What I understand doing the OneWay Sync from the AD to the DS
>
> Users in the Active Directory domain are synced if it is configured in the
> sync agreement by selecting the *Sync New Windows Users* option. All of
> the Windows users are copied to the Directory Server when synchronization is
> initiated and then new users are synced over when they are created.
>
> I do not need to do any AD to DS Group Sync
>
> and I am not doing any DS sync to the AD.
>
> /usr/lib/mozldap/ldapsearch -x -h
> wodcstage-1.ottawa.ad.algonquincollege.com -w - -D
> "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" -s base -b
> "" "objectclass=*"
>
> You should get the contents of the AD
>
> /usr/lib/mozldap/ldapsearch -x -h
> wodcstage-1.ottawa.ad.algonquincollege.com -w - -D
> "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" -s sub -b
> "cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" "objectclass=person"
>
> you should get the list of users
>
>
>
> Thanks.
> Al
>
> On Tue, May 31, 2011 at 1:40 PM, Rich Megginson wrote:
>
>>  On 05/31/2011 10:30 AM, Albert Teh wrote:
>>
>>
>> HI Rich,
>>
>> [root@algldap ~]# /usr/lib/mozldap/ldapsearch -x -w - -D cn="Directory
>> Manager" -b "ou=People,dc=algonquincollege,dc=com"
>> "(|(objectclass=ntuser)(objectclass=ntgroup))"
>> Enter bind password:
>> [root@algldap ~]#
>>
>> No Entry found !!!.
>>
>>  You have to tell directory server which entries you want to sync.
>> See
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
>>
>>
>> Thanks.
>> Albert
>>
>> On Tue, May 31, 2011 at 11:42 AM, Rich Megginson wrote:
>>
>>>  On 05/30/2011 08:32 AM, Albert Teh wrote:
>>>
>>> Hi Rich,
>>>
>>>  I followed the Guide and still got the same result. Checked with  the AD
>>> administrator, the AD's user: mailadm has a full privilege.
>>>
>>> /usr/bin/ldapsearch -x -w - -D cn="Directory Manager"-b
>>> "ou=People,dc=algonquincollege,dc=com"
>>> "(|(objectclass=ntuser)(objectclass=ntgroup))"
>>>
>>> How many entries match that search?
>>>
>>>
>>> Thanks.
>>> Albert
>>>
>>> Here is the Windows Sync Agreement info:
>>>
>>> [root@algldap slapd-algldap]# /usr/lib/mozldap/ldapsearch -w - -D
>>> cn="Directory Manager" -b cn=config cn=ADSync
>>> Enter bind password:
>>> version: 1
>>> dn: cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
>>> tree,c
>>>  n=config
>>> objectClass: top
>>> objectClass: nsDSWindowsReplicationAgreement
>>> description: AD Sync Agreement
>>> cn: ADSync
>>> nsds7WindowsReplicaSubtree:
>>> cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=co
>>>  m
>>> nsds7DirectoryReplicaSubtree: ou=People, dc=algonquincollege,dc=com
>>> nsds7NewWinUserSyncEnabled: on
>>> nsds7NewWinGroupSyncEnabled: on
>>> nsds7WindowsDomain: ottawa.ad.algonquincollege.com
>>> nsDS5ReplicaRoot: dc=algonquincollege,dc=com
>>> nsDS5ReplicaHost: wodcstage-1.ottawa.ad.algonquincollege.com
>>> nsDS5ReplicaPort: 389
>>> nsDS5ReplicaBindDN:
>>> cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc
>>>  =com
>>> nsDS5ReplicaBindMethod: SIMPLE
>>> nsDS5ReplicaCredentials: {DES}U68ooQM3C15xjJ/taDmy0A==
>>> nsds5replicareapactive: 0
>>> nsds5replicaLastUpdateStart: 20110530141648Z
>>> nsds5replicaLastUpdateEnd: 20110530141648Z
>>> nsds5replicaChangesSentSinceStartup:
>>> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
>>> Incremental upd
>>>  ate succeeded
>>> nsds5replicaUpdateInProgress: FALSE
>>> nsds5replicaLastInitStart: 20110530140648Z
>>> nsds5replicaLastInitEnd: 20110530140648Z
>>> nsds5replicaLastInitStatus: 0 Total update succeeded
>>> [root@algldap slapd-algldap]#
>>>
>>>
>>>
>>> On Fri, May 27, 2011 at 10:57 AM, Rich Megginson wrote:
>>>
  On 05/27/2011 04:22 AM, Albert Teh wrote:

 Hi Rich,

 I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync set as
 fromWindows in the multimaster replication plugin. I still got the same
 result with no user created in the DS subtree.

  Have you read
 http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync


 Errors log:

 [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning total
 update of replica "agmt="cn=ADSync" (wodcstage-1:389)".
 [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished total
 update of replica "agmt="cn=ADSync" (wodcstage-1:389)". Sent 0 entries.


 Access log:

 [27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH
 base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
 tree,cn=config" scope=0
 filter="(|(objectClass=*)(objectClass=ldapsubentry))"
 attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd
 nsds5replicaChangesSentSinceS

Re: [389-users] Windows Sync Agreement Help

2011-05-31 Thread Rich Megginson


On 05/30/2011 08:32 AM, Albert Teh wrote:

Hi Rich,

I followed the Guide and still got the same result. Checked with  the 
AD administrator, the AD's user: mailadm has a full privilege.
/usr/bin/ldapsearch -x -w - -D cn="Directory Manager"-b 
"ou=People,dc=algonquincollege,dc=com" 
"(|(objectclass=ntuser)(objectclass=ntgroup))"


How many entries match that search?


Thanks.
Albert

Here is the Windows Sync Agreement info:

[root@algldap slapd-algldap]# /usr/lib/mozldap/ldapsearch -w - -D 
cn="Directory Manager" -b cn=config cn=ADSync

Enter bind password:
version: 1
dn: 
cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping tree,c

 n=config
objectClass: top
objectClass: nsDSWindowsReplicationAgreement
description: AD Sync Agreement
cn: ADSync
nsds7WindowsReplicaSubtree: 
cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=co

 m
nsds7DirectoryReplicaSubtree: ou=People, dc=algonquincollege,dc=com
nsds7NewWinUserSyncEnabled: on
nsds7NewWinGroupSyncEnabled: on
nsds7WindowsDomain: ottawa.ad.algonquincollege.com 


nsDS5ReplicaRoot: dc=algonquincollege,dc=com
nsDS5ReplicaHost: wodcstage-1.ottawa.ad.algonquincollege.com 


nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: 
cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc

 =com
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaCredentials: {DES}U68ooQM3C15xjJ/taDmy0A==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20110530141648Z
nsds5replicaLastUpdateEnd: 20110530141648Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: 
Incremental upd

 ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20110530140648Z
nsds5replicaLastInitEnd: 20110530140648Z
nsds5replicaLastInitStatus: 0 Total update succeeded
[root@algldap slapd-algldap]#



On Fri, May 27, 2011 at 10:57 AM, Rich Megginson > wrote:


On 05/27/2011 04:22 AM, Albert Teh wrote:

Hi Rich,

I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync
set as fromWindows in the multimaster replication plugin. I still
got the same result with no user created in the DS subtree.

Have you read

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync




Errors log:

[27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning
total update of replica "agmt="cn=ADSync" (wodcstage-1:389)".
[27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished
total update of replica "agmt="cn=ADSync" (wodcstage-1:389)".
Sent 0 entries.


Access log:

[27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH
base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
tree,cn=config" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))"
attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd
nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus
nsds5replicaUpdateInProgress nsds5replicaLastInitStart
nsds5replicaLastInitEnd nsds5replicaLastInitStatus
nsds5BeginReplicaRefresh"
[27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101
nentries=1 etime=

Thanks for your help.

Albert



On Thu, May 26, 2011 at 11:13 AM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 05/26/2011 08:58 AM, Albert Teh wrote:

Hi,

We are setting up a new CENTOS-DS version 8.1.0. and CENTOS
5.5 and attempt to synchronize with the existing 2003
Windows AD server.
Performing  the full sync completed. There is no user
created in the DS subtree.

We would like to perform one way Sync:  AD > DS. Once it
works, we will set up the password Sync from the AD to DS.

One way sync isn't supported with 8.1.0.  I suggest using
389-ds-base 1.2.8.3 from EPEL5 which does support one way
sync.
http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync


AD:   cn=Users,cn=location,dc=ad,dc=domain,dc=com
DS:   ou=Peoples,dc=domain,dc=com

errors log:


[26/May/2011:10:20:34 -0400] NSMMReplicationPlugin -
Beginning total update of replica "agmt="cn=ADsync"
(wodcstage-1:389)".
[26/May/2011:10:20:34 -0400] NSMMReplicationPlugin -
Finished total update of replica "agmt="cn=ADsync"
(wodcstage-1:389)". Sent 0 entries.

access log:

26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH
base="cn=ADsync, cn=replica, cn=\22dc=algonquincollege,
dc=com\22, cn=mapping tree, cn=config" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))"
attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd
nsds5replicaChangesSentSinceStartup
nsds5replicaLastUpdateStatus nsds5replicaUpdateInProg

Re: [389-users] Windows Sync Agreement Help

2011-05-30 Thread Albert Teh

Hi Rich,

I followed the Guide and still got the same result. Checked with  the AD
administrator, the AD's user: mailadm has a full privilege.

Thanks.
Albert

Here is the Windows Sync Agreement info:

[root@algldap slapd-algldap]# /usr/lib/mozldap/ldapsearch -w - -D
cn="Directory Manager" -b cn=config cn=ADSync
Enter bind password:
version: 1
dn: cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
tree,c
 n=config
objectClass: top
objectClass: nsDSWindowsReplicationAgreement
description: AD Sync Agreement
cn: ADSync
nsds7WindowsReplicaSubtree:
cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=co
 m
nsds7DirectoryReplicaSubtree: ou=People, dc=algonquincollege,dc=com
nsds7NewWinUserSyncEnabled: on
nsds7NewWinGroupSyncEnabled: on
nsds7WindowsDomain: ottawa.ad.algonquincollege.com
nsDS5ReplicaRoot: dc=algonquincollege,dc=com
nsDS5ReplicaHost: wodcstage-1.ottawa.ad.algonquincollege.com
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN:
cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc
 =com
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaCredentials: {DES}U68ooQM3C15xjJ/taDmy0A==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20110530141648Z
nsds5replicaLastUpdateEnd: 20110530141648Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
upd
 ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20110530140648Z
nsds5replicaLastInitEnd: 20110530140648Z
nsds5replicaLastInitStatus: 0 Total update succeeded
[root@algldap slapd-algldap]#



On Fri, May 27, 2011 at 10:57 AM, Rich Megginson wrote:

>  On 05/27/2011 04:22 AM, Albert Teh wrote:
>
> Hi Rich,
>
> I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync set as
> fromWindows in the multimaster replication plugin. I still got the same
> result with no user created in the DS subtree.
>
> Have you read
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
>
>
> Errors log:
>
> [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning total update
> of replica "agmt="cn=ADSync" (wodcstage-1:389)".
> [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished total update
> of replica "agmt="cn=ADSync" (wodcstage-1:389)". Sent 0 entries.
>
>
> Access log:
>
> [27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH
> base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
> tree,cn=config" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
> attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd
> nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus
> nsds5replicaUpdateInProgress nsds5replicaLastInitStart
> nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh"
> [27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101 nentries=1
> etime=
>
> Thanks for your help.
>
> Albert
>
>
>
> On Thu, May 26, 2011 at 11:13 AM, Rich Megginson wrote:
>
>>  On 05/26/2011 08:58 AM, Albert Teh wrote:
>>
>> Hi,
>>
>> We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and
>> attempt to synchronize with the existing 2003 Windows AD server.
>> Performing  the full sync completed. There is no user created in the DS
>> subtree.
>>
>> We would like to perform one way Sync:  AD > DS. Once it works, we
>> will set up the password Sync from the AD to DS.
>>
>>  One way sync isn't supported with 8.1.0.  I suggest using 389-ds-base
>> 1.2.8.3 from EPEL5 which does support one way sync.
>> http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
>>
>>
>> AD:   cn=Users,cn=location,dc=ad,dc=domain,dc=com
>> DS:   ou=Peoples,dc=domain,dc=com
>>
>> errors log:
>>
>>
>> [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total
>> update of replica "agmt="cn=ADsync" (wodcstage-1:389)".
>> [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update
>> of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries.
>>
>> access log:
>>
>> 26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync,
>> cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree,
>> cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>> attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd
>> nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus
>> nsds5replicaUpdateInProgress nsds5replicaLastInitStart
>> nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh"
>> [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>>
>> Thanks.
>> Albert
>>
>>
>>
>> --
>> 389 users mailing 
>> list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>
>
> --
> Albert Teh
> Email: teh.alb...@gmail.com
>
>
>


-- 
Albert Teh
Email: teh.alb...@gmail.com
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/3

Re: [389-users] Windows Sync Agreement Help

2011-05-27 Thread Carsten Grzemba

It could have different reasons:
- do a ldapsearch -D cn=Directory\ Manager -b cn=config cn=ADSync and check the 
output so that replicabase subtrees are correct in the both worlds
  Any descendant container entries (ou's) need to be created separately in 
Directory by an
  administrator; Windows Sync does not create container entries.
- check with ldapsearch command that the Sync User can bind on AD 
- check the permissions of the sync user in AD, it should be a domain 
administrator, also if you want to sync only from AD to DS.

Regards Carsten

- Ursprüngliche Nachricht -
Von: Albert Teh 
Datum: Freitag, 27. Mai 2011, 12:22
Betreff: Re: [389-users] Windows Sync Agreement Help
An: Rich Megginson 
Cc: "General discussion list for the 389 Directory server project." 
<389-users@lists.fedoraproject.org>

> Hi Rich,
> 
> I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added 
> onewaysync set as fromWindows in the multimaster replication 
> plugin. I still got the same result with no user created in the 
> DS subtree.
> 
> Errors log:
> 
> 
> [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning 
> total update of replica "agmt="cn=ADSync" 
> (wodcstage-1:389)".
> [27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished 
> total update of replica "agmt="cn=ADSync" 
> (wodcstage-1:389)". Sent 0 entries.
> 
> 
> 
> Access log:
> 
> [27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH 
> base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping 
> tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" 
> attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd 
> nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus 
> nsds5replicaUpdateInProgress nsds5replicaLastInitStart 
> nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh"
> 
> [27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101 
> nentries=1 etime=
> 
> Thanks for your help.
> 
> Albert
> 
> 
> 
> On Thu, May 26, 2011 at 11:13 AM, Rich Megginson  wrote:
> 
> 
> 
>  
>
>  
>  
>On 05/26/2011 08:58 AM, Albert Teh wrote:
>Hi,
> 
>  
> 
>  We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5
>  and attempt to synchronize with the existing 2003 Windows AD
>  server.
> 
>  Performing  the full sync completed. There is no user created in
>  the DS subtree.
> 
>  
> 
>  We would like to perform one way Sync:  AD > DS. Once it
>  works, we will set up the password Sync from the AD to DS. 
> 
>
>One way sync isn't supported with 8.1.0.  I suggest using
>389-ds-base 1.2.8.3 from EPEL5 which does support one way sync. 
>http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
> 
>
> 
>  AD:   cn=Users,cn=location,dc=ad,dc=domain,dc=com
> 
>  DS:   ou=Peoples,dc=domain,dc=com
> 
>  
> 
>  errors log:
> 
>  
> 
>  
> 
>  [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning
>  total update of replica "agmt="cn=ADsync" (wodcstage-1:389)".
> 
>  [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished
>  total update of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent
>  0 entries.
> 
>  
> 
>  access log:
> 
>  
> 
>  26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync,
>  cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree,
>  cn=config" scope=0
>  filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>  attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd
>  nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus
>  nsds5replicaUpdateInProgress nsds5replicaLastInitStart
>  nsds5replicaLastInitEnd nsds5replicaLastInitStatus
>  nsds5BeginReplicaRefresh"
> 
>  [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101
>  nentries=1 etime=0
> 
>  
> 
>  
> 
>  Thanks.
> 
>  Albert
> 
>  
> 
>  
> 
>  
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> 
>  
> 
> 
> 
> -- 
> Albert Teh
> Email: teh.alb...@gmail.com
> 
> > --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
<>--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Windows Sync Agreement Help

2011-05-27 Thread Albert Teh

Hi Rich,

I reinstalled 389-ds-base 1.2.8.3 from EPEL5 and added onewaysync set as
fromWindows in the multimaster replication plugin. I still got the same
result with no user created in the DS subtree.

Errors log:

[27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Beginning total update
of replica "agmt="cn=ADSync" (wodcstage-1:389)".
[27/May/2011:06:18:26 -0400] NSMMReplicationPlugin - Finished total update
of replica "agmt="cn=ADSync" (wodcstage-1:389)". Sent 0 entries.


Access log:

[27/May/2011:06:18:29 -0400] conn=1 op=114 SRCH
base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
tree,cn=config" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))"
attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd
nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus
nsds5replicaUpdateInProgress nsds5replicaLastInitStart
nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh"
[27/May/2011:06:18:29 -0400] conn=1 op=114 RESULT err=0 tag=101 nentries=1
etime=

Thanks for your help.

Albert



On Thu, May 26, 2011 at 11:13 AM, Rich Megginson wrote:

>  On 05/26/2011 08:58 AM, Albert Teh wrote:
>
> Hi,
>
> We are setting up a new CENTOS-DS version 8.1.0. and CENTOS 5.5 and attempt
> to synchronize with the existing 2003 Windows AD server.
> Performing  the full sync completed. There is no user created in the DS
> subtree.
>
> We would like to perform one way Sync:  AD > DS. Once it works, we will
> set up the password Sync from the AD to DS.
>
> One way sync isn't supported with 8.1.0.  I suggest using 389-ds-base
> 1.2.8.3 from EPEL5 which does support one way sync.
> http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
>
>
> AD:   cn=Users,cn=location,dc=ad,dc=domain,dc=com
> DS:   ou=Peoples,dc=domain,dc=com
>
> errors log:
>
>
> [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Beginning total update
> of replica "agmt="cn=ADsync" (wodcstage-1:389)".
> [26/May/2011:10:20:34 -0400] NSMMReplicationPlugin - Finished total update
> of replica "agmt="cn=ADsync" (wodcstage-1:389)". Sent 0 entries.
>
> access log:
>
> 26/May/2011:10:20:37 -0400] conn=11 op=819 SRCH base="cn=ADsync,
> cn=replica, cn=\22dc=algonquincollege, dc=com\22, cn=mapping tree,
> cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))"
> attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd
> nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus
> nsds5replicaUpdateInProgress nsds5replicaLastInitStart
> nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh"
> [26/May/2011:10:20:37 -0400] conn=11 op=819 RESULT err=0 tag=101 nentries=1
> etime=0
>
>
> Thanks.
> Albert
>
>
>
> --
> 389 users mailing 
> list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>


-- 
Albert Teh
Email: teh.alb...@gmail.com
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Windows Sync Agreement Help

Re: [389-users] Windows Sync Agreement Help

Re: [389-users] Windows Sync Agreement Help

Re: [389-users] Windows Sync Agreement Help

Re: [389-users] Windows Sync Agreement Help

Re: [389-users] Windows Sync Agreement Help

Re: [389-users] Windows Sync Agreement Help

7 matches

Site Navigation

Mail list logo

Footer information