David, Richard - Thanks for the pointers. I took the ldif created by Windows Sync for one user and stripped it completely, then added lines from the original until it would import into Active Directory. I was not able to make ldapmodify connect to the AD server, so I continued to use ldifde on the AD server itself. I made a few import rules from this experience: - LDAP attributes cannot be blank. In the example below, I had to remove the entries for userparameters, userworkstations, homeDirectory and profilepath for the file to import. - I had to remove the codepage entry. I don't know whether AD objects to the attribute, the data, and/or the extra colon. - My directory includes the domain name and a colon in samaccountname. I don't know whether to blame this on the ldif export from Netscape Directory or the import to DS 7.1, but AD does not allow colons in this data. Also, the domain name should not be included, because this attribute is mapped to "pre-W2000 logon name" in Active Directory, which does not include the domain name. - The userprincipalname attribute has the same problem. The Windows Sync documentation indicates that Windows Sync will populate an Active Directory, but I find this difficult to believe given the limitations noted above. I admit that I haven't tried working with the schema. I'm thinking it might be faster to export an ldif from the Directory Server, clean it up with a word processor, and import it into AD using the Microsoft ldifde tool. But will synchronization work any better than initialization, given the differences that will exist between data in the two directories? Should I remove all the entries from the Directory Server after cleaning up the ldif, and import that into the Directory Server as well as the AD? -Glenn. Example: dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: TWU:jdoe at ad.example.com samaccountname: TWU:jdoe mail: jdoe at example.com userparameters: description: Reference Librarian sn: Doe telephoneNumber: 817-555-1234 codepage:: AAAAAA== cn: John Doe userworkstations: title: Electronic Reference Librarian homeDirectory: profilepath: givenName: John facsimileTelephoneNumber: 817-555-2345 scriptpath: nt_script.bat ---------- Original Message ----------- From: David Boreham <david_list at boreham.org> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Sent: Tue, 28 Nov 2006 17:57:56 -0700 Subject: Re: Windows Sync Error > Glenn wrote: > > >I wasn't thinking when I said the directory server data was imported from > >NT. It actually came from a Netscape Directory server. Just as a test, I > >exported a few users to an ldif file and tried to use the ldifde on the W2003 > >domain controller to import them. It seems to find a syntax error on every > >line in the file, making it impossible to narrow it down. > > > >I can't possibly be the only person who has run into this problem. Hoping > >someone can shed some light. Thanks. -Glenn. > > > > > We ran into this problem while developing the code. > Unfortunately AD is brain-damaged with it comes to > diagnosing why it objected to a particular operation. > There seems to be no way to get it to log some decent > diagnostic information, and it does not provide an adequate > error message over the wire. > > In debugging these problems I first added the code that you > have seen that dumps out the complete entry to the log. > Then I pasted the entry into an ldapmodify command > to reproduce the problem outside the server. Finally I > edited the LDIF to trim off likely looking attributes until > AD quit complaining. At that point I knew which one it > was barfing over. > > I would begin by removing all the NT domain related > attributes from a test entry and see if it adds ok. > Then add them back one by one to see which is > causing the problem. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message -------
