Password synchronization error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David Boreham wrote:
> Jeff Gamsby wrote:
>
>> Has anyone ever come across this error:
>>
>> [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>> (ad:636): Received error [0000216C: AtrErr: DSID-031D0AC0, #1:       
>> 0:0000216C: DSID-031D0AC0, problem 1005 (CONSTRAINT_ATT_TYPE), data 
>> 0, Att 9005a (unicodePwd) ] when attempting to modify entry
>> [<GUID=e873f710d5b9394db14c701cf5f11821>]: Please correct the 
>> attribute specified in the error message.  Refer to the Windows 
>> Active Directory docs for more information.
>> [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>> (ad:636): windows_replay_update: update password returned 1
>> [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>> (ad:636): Consumer failed to replay change (uniqueid
>> 3783a101-1dd211b2-802fd24c-a4ed0000, CSN 4492399a000000010000): 
>> Constraint violation. Skipping.
>>
> The obvious first guess would be that the password fails the AD 
> password policy check.
>
> What happens if you try to change that same user's password to the 
> same value on the
> AD side ? Does it work ?
Yes.

I think what is happening is that when the user account's userpassword 
attribute gets imported into FDS, it gets base64 encoded, which the FDS 
understands but AD does not. I have an OpenLDAP server that I am 
migrating from and when I export the database, add some attributes, then 
upload into FDS, some attributes get base64 encoded, including 
userpassword. It happens to some attributes like "cn", so those users 
don't get synced into AD ( I guess AD gets confused ). If I just retype 
the "cn" attribute, then it gets synced just fine, but I'm not sure what 
to do about userpassword. In my OpenLDAP server the passwords are 
{SSHA}, and I think FDS supports this, I just have to figure out how to 
format that attribute.

I verified this by adding a user via the admin console, and it seems to 
work fine.

I tried the LdapImport perl script, but that didn't work. I also tried 
the other script on the OpenLDAP migration Howto, but that didn't work 
either.

Thanks
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux