----- Ursprüngliche Nachricht -----
Von: Albert Teh <teh.albert@xxxxxxxxx>
Datum: Mittwoch, 1. Juni 2011, 2:30
Betreff: Re: [389-users] Windows Sync Agreement Help
An: Rich Megginson <rmeggins@xxxxxxxxxx>
Cc: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
>
>
> On Tue, May 31, 2011 at 2:58 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:
>
On 05/31/2011 12:49 PM, Albert Teh wrote:
> Hi Rich,
>
>
Sorry, What I understand doing the OneWay Sync from the AD to the
DS
>
>
Users in the Active Directory domain are synced if it is
configured in the sync agreement by selecting the Sync New Windows Users
option. All of the Windows users are copied to the Directory
Server when synchronization is initiated and then new users are
synced over when they are created.
>
>
I do not need to do any AD to DS Group Sync
>
>
and I am not doing any DS sync to the AD.
>
/usr/lib/mozldap/ldapsearch -x -h wodcstage-1.ottawa.ad.algonquincollege.com -w
- -D
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" -s
base -b "" "objectclass=*"
>
>
You should get the contents of the AD
This is a good test, but take a notice of that winsync use the dirsync ldap control which require additional priviledges on AD. This can tested with a python script of rich:
https://github.com/richm/scripts/blob/master/dirsyncctrl.py
which need python an the ldap lib for python.
Regards Carsten
>
>
/usr/lib/mozldap/ldapsearch -x -h
wodcstage-1.ottawa.ad.algonquincollege.com -w - -D
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" -s
sub -b "cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
"objectclass=person"
>
>
you should get the list of users>
>
>
>
Thanks.
>
Al
>
> On Tue, May 31, 2011 at 1:40 PM, Rich
Megginson <rmeggins@xxxxxxxxxx>
wrote:
> On 05/31/2011 10:30 AM, Albert Teh wrote:
>
HI Rich,
>
>
[root@algldap ~]# /usr/lib/mozldap/ldapsearch -x -w - -D
cn="Directory Manager" -b
"ou=People,dc=algonquincollege,dc=com"
"(|(objectclass=ntuser)(objectclass=ntgroup))"
>
Enter bind password:
>
[root@algldap ~]#
>
>
No Entry found !!!.
>
You have to tell directory server which entries you want to
sync.
>
See http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
>
Thanks.
>
Albert
>
> On Tue, May 31, 2011 at 11:42
AM, Rich Megginson <rmeggins@xxxxxxxxxx>
wrote:
> On 05/30/2011 08:32 AM, Albert Teh wrote:
> Hi Rich,
>
> I followed the Guide and still got the
same result. Checked with the AD
administrator, the AD's user: mailadm has a
full privilege.
>
/usr/bin/ldapsearch -x -w - -D cn="Directory
Manager"-b
"ou=People,dc=algonquincollege,dc=com"
"(|(objectclass=ntuser)(objectclass=ntgroup))"
>
>
How many entries match that search?
>
>
Thanks.
>
Albert
>
>
Here is the Windows Sync Agreement info:
>
>
[root@algldap slapd-algldap]#
/usr/lib/mozldap/ldapsearch -w - -D
cn="Directory Manager" -b cn=config
cn=ADSync
>
Enter bind password:
>
version: 1
>
dn:
cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
tree,c
>
n=config
>
objectClass: top
>
objectClass:
nsDSWindowsReplicationAgreement
>
description: AD Sync Agreement
>
cn: ADSync
>
nsds7WindowsReplicaSubtree:
cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=co
>
m
>
nsds7DirectoryReplicaSubtree: ou=People,
dc=algonquincollege,dc=com
>
nsds7NewWinUserSyncEnabled: on
>
nsds7NewWinGroupSyncEnabled: on
>
nsds7WindowsDomain: ottawa.ad.algonquincollege.com
>
nsDS5ReplicaRoot:
dc=algonquincollege,dc=com
>
nsDS5ReplicaHost: wodcstage-1.ottawa.ad.algonquincollege.com
>
nsDS5ReplicaPort: 389
>
nsDS5ReplicaBindDN:
cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc
>
=com
>
nsDS5ReplicaBindMethod: SIMPLE
>
nsDS5ReplicaCredentials:
{DES}U68ooQM3C15xjJ/taDmy0A==
>
nsds5replicareapactive: 0
>
nsds5replicaLastUpdateStart:
20110530141648Z
>
nsds5replicaLastUpdateEnd: 20110530141648Z
>
nsds5replicaChangesSentSinceStartup:
>
nsds5replicaLastUpdateStatus: 0 Replica
acquired successfully: Incremental upd
>
ate succeeded
>
nsds5replicaUpdateInProgress: FALSE
>
nsds5replicaLastInitStart: 20110530140648Z
>
nsds5replicaLastInitEnd: 20110530140648Z
>
nsds5replicaLastInitStatus: 0 Total update
succeeded
>
[root@algldap slapd-algldap]#
>
>
>
> On Fri, May 27,
2011 at 10:57 AM, Rich Megginson <rmeggins@xxxxxxxxxx>
wrote:
> On 05/27/2011 04:22 AM, Albert
Teh wrote:
Hi Rich,
>
>
I reinstalled 389-ds-base
1.2.8.3 from EPEL5 and added
onewaysync set as fromWindows in
the multimaster replication
plugin. I still got the same
result with no user created in
the DS subtree.
>
Have you read http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
>
>
Errors log:
>
>
[27/May/2011:06:18:26 -0400]
NSMMReplicationPlugin -
Beginning total update of
replica "agmt="cn=ADSync"
(wodcstage-1:389)".
>
[27/May/2011:06:18:26 -0400]
NSMMReplicationPlugin -
Finished total update of
replica "agmt="cn=ADSync"
(wodcstage-1:389)". Sent 0
entries.
>
>
>
Access log:
>
>
[27/May/2011:06:18:29 -0400]
conn=1 op=114 SRCH
base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
tree,cn=config" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))"
attrs="nsds5replicaLastUpdateStart
nsds5replicaLastUpdateEnd
nsds5replicaChangesSentSinceStartup
nsds5replicaLastUpdateStatus
nsds5replicaUpdateInProgress
nsds5replicaLastInitStart
nsds5replicaLastInitEnd
nsds5replicaLastInitStatus
nsds5BeginReplicaRefresh"
>
[27/May/2011:06:18:29 -0400]
conn=1 op=114 RESULT err=0
tag=101 nentries=1 etime=
>
>
Thanks for your help.
>
>
Albert
>
>
>
> On
Thu, May 26, 2011 at 11:13
AM, Rich Megginson <rmeggins@xxxxxxxxxx>
wrote:
> On 05/26/2011
08:58 AM, Albert Teh
wrote:
Hi,
>
>
We are setting up a
new CENTOS-DS
version 8.1.0. and
CENTOS 5.5 and
attempt to
synchronize with the
existing 2003
Windows AD server.
>
Performing the full
sync completed.
There is no user
created in the DS
subtree.
>
>
We would like to
perform one way
Sync: AD ---->
DS. Once it works,
we will set up the
password Sync from
the AD to DS.
>
One way sync isn't
supported with 8.1.0. I
suggest using
389-ds-base 1.2.8.3 from
EPEL5 which does support
one way sync. http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
>
>
AD:
cn=Users,cn=location,dc=ad,dc=domain,dc=com
>
DS:
ou=Peoples,dc=domain,dc=com
>
>
errors log:
>
>
>
[26/May/2011:10:20:34
-0400]
NSMMReplicationPlugin
- Beginning total
update of replica
"agmt="cn=ADsync"
(wodcstage-1:389)".
>
[26/May/2011:10:20:34
-0400]
NSMMReplicationPlugin
- Finished total
update of replica
"agmt="cn=ADsync"
(wodcstage-1:389)".
Sent 0 entries.
>
>
access log:
>
>
26/May/2011:10:20:37
-0400] conn=11
op=819 SRCH
base="cn=ADsync,
cn=replica,
cn=\22dc=algonquincollege,
dc=com\22,
cn=mapping tree,
cn=config" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))"
attrs="nsds5replicaLastUpdateStart
nsds5replicaLastUpdateEnd
nsds5replicaChangesSentSinceStartup
nsds5replicaLastUpdateStatus
nsds5replicaUpdateInProgress
nsds5replicaLastInitStart
nsds5replicaLastInitEnd
nsds5replicaLastInitStatus
nsds5BeginReplicaRefresh"
>
[26/May/2011:10:20:37
-0400] conn=11
op=819 RESULT err=0
tag=101 nentries=1
etime=0
>
>
>
Thanks.
>
Albert
>
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
--
>
Albert Teh
>
Email: Teh.Albert@xxxxxxxxx
>
>
>
>
>
--
>
Albert Teh
>
Email: Teh.Albert@xxxxxxxxx
>
>
>
>
>
--
>
Albert Teh
>
Email: Teh.Albert@xxxxxxxxx
>
>
>
>
>
--
>
Albert Teh
>
Email: Teh.Albert@xxxxxxxxx
>
>
>
> HI Rich,
>
> These two commands worked and got the result. I have been gone through the Windows Sync agreement setup for many times. I could not figure out what went wrong.
>
Thanks a lot for your help again.
>
> Albert
>
> /usr/lib/mozldap/ldapsearch -x -h wodcstage-1.ottawa.ad.algonquincollege.com -w
- -D
"cn=mailadm,cn=Users,dc=[root@algldap ~]# /usr/lib/mozldap/ldapsearch -x -h wodcstage-1.ottawa.ad.algonquincollege.com -w - -D "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" -s base -b "" "objectclass=*" Enter bind password:
>
version: 1
> dn:
> currentTime: 20110601001342.0Z
> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=ad,DC=algonquinc
> ollege,DC=com
> dsServiceName: CN=NTDS Settings,CN=WODCSTAGE-1,CN=Servers,CN=Default-First-Sit
>
e-Name,CN=Sites,CN=Configuration,DC=ad,DC=algonquincollege,DC=com
> namingContexts: CN=Configuration,DC=ad,DC=algonquincollege,DC=com
> namingContexts: CN=Schema,CN=Configuration,DC=ad,DC=algonquincollege,DC=com
> namingContexts: DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>
defaultNamingContext: DC=ottawa,DC=ad,DC=algonquincollege,DC=com
> schemaNamingContext: CN=Schema,CN=Configuration,DC=ad,DC=algonquincollege,DC=c
> om
> configurationNamingContext: CN=Configuration,DC=ad,DC=algonquincollege,DC=com
>
rootDomainNamingContext: DC=ad,DC=algonquincollege,DC=com
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.2.840.113556.1.4.801
> supportedControl: 1.2.840.113556.1.4.473
> supportedControl: 1.2.840.113556.1.4.528
>
supportedControl: 1.2.840.113556.1.4.417
> supportedControl: 1.2.840.113556.1.4.619
> supportedControl: 1.2.840.113556.1.4.841
> supportedControl: 1.2.840.113556.1.4.529
> supportedControl: 1.2.840.113556.1.4.805
> supportedControl: 1.2.840.113556.1.4.521
>
supportedControl: 1.2.840.113556.1.4.970
> supportedControl: 1.2.840.113556.1.4.1338
> supportedControl: 1.2.840.113556.1.4.474
> supportedControl: 1.2.840.113556.1.4.1339
> supportedControl: 1.2.840.113556.1.4.1340
>
supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 2.16.840.1.113730.3.4.9
> supportedControl: 2.16.840.1.113730.3.4.10
> supportedControl: 1.2.840.113556.1.4.1504
> supportedControl: 1.2.840.113556.1.4.1852
>
supportedControl: 1.2.840.113556.1.4.802
> supportedControl: 1.2.840.113556.1.4.1907
> supportedControl: 1.2.840.113556.1.4.1948
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
> supportedLDAPPolicies: MaxPoolThreads
>
supportedLDAPPolicies: MaxDatagramRecv
> supportedLDAPPolicies: MaxReceiveBuffer
> supportedLDAPPolicies: InitRecvTimeout
> supportedLDAPPolicies: MaxConnections
> supportedLDAPPolicies: MaxConnIdleTime
> supportedLDAPPolicies: MaxPageSize
>
supportedLDAPPolicies: MaxQueryDuration
> supportedLDAPPolicies: MaxTempTableSize
> supportedLDAPPolicies: MaxResultSetSize
> supportedLDAPPolicies: MaxNotificationPerConn
> supportedLDAPPolicies: MaxValRange
> highestCommittedUSN: 3103418
>
supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> dnsHostName: WODCStage-1.ottawa.ad.algonquincollege.com
>
ldapServiceName: ad.algonquincollege.com:wodcstage-1$@OTTAWA.AD.ALGONQUINCOLLE
> GE.COM
> serverName: CN=WODCSTAGE-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
> onfiguration,DC=ad,DC=algonquincollege,DC=com
>
supportedCapabilities: 1.2.840.113556.1.4.800
> supportedCapabilities: 1.2.840.113556.1.4.1670
> supportedCapabilities: 1.2.840.113556.1.4.1791
> isSynchronized: TRUE
> isGlobalCatalogReady: TRUE
> domainFunctionality: 2
>
forestFunctionality: 2
> domainControllerFunctionality: 2
> [root@algldap ~]#
>
> Partial out:
>
> [root@algldap ~]# /usr/lib/mozldap/ldapsearch -x -h wodcstage-1.ottawa.ad.algonquincollege.com -w - -D "cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" -s sub -b "cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com" "objectclass=person" | more
>
Enter bind password:
> version: 1
> dn: CN=isp-transfer,CN=Users,DC=ottawa,DC=ad,DC=algonquincollege,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: isp-transfer
>
description: Transfer for Genesis Data to International Student Program share
> givenName: isp-transfer
> distinguishedName: CN=isp-transfer,CN=Users,DC=ottawa,DC=ad,DC=algonquincolleg
> e,DC=com
> instanceType: 4
>
whenCreated: 20040517155823.0Z
> whenChanged: 20081016173006.0Z
> displayName: isp-transfer
> uSNCreated: 255422
> memberOf: CN=NAS_Transfer_Genesis_ISP,OU=Groups,DC=ottawa,DC=ad,DC=algonquinco
> llege,DC=com
> uSNChanged: 255422
>
name: isp-transfer
> objectGUID:: EaeRW3KiMUac6hzEs//X/g==
> userAccountControl: 66048
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 127292831041031250
>
primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAArhyVdhR1dBOOfkA4DN8BAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: isp-transfer
> sAMAccountType: 805306368
> userPrincipalName: isp-transfer@xxxxxxxxxxxxxxxxxxxx
>
lockoutTime: 0
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=algonquincollege
> ,DC=com
> dSCorePropagationData: 20110131155635.0Z
> dSCorePropagationData: 20091227191115.0Z
> dSCorePropagationData: 20090127144505.0Z
>
dSCorePropagationData: 20081201175842.0Z
> dSCorePropagationData: 16010714223649.0Z
> lastLogonTimestamp: 128686221598537375
>
> dn: CN=heatweb,CN=Users,DC=ottawa,DC=ad,DC=algonquincollege,DC=com
> objectClass: top
>
objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: heatweb
> sn: heatweb
> description: Used to communicate between HEAT and IIS
> distinguishedName: CN=heatweb,CN=Users,DC=ottawa,DC=ad,DC=algonquincollege,DC=
>
com
> instanceType: 4
> whenCreated: 20050218192725.0Z
> whenChanged: 20081016172611.0Z
> displayName: heatweb
> uSNCreated: 89976
> memberOf: CN=Heat Users,OU=Groups,DC=ottawa,DC=ad,DC=algonquincollege,DC=com
> uSNChanged: 89976
>
name: heatweb
> objectGUID:: 07KJaAgkGUapXbQN7VprrQ==
> userAccountControl: 66048
> badPwdCount: 0
> codePage: 0
> countryCode: 0
>
>
>
>
>
>
>
> >
> --
> Albert Teh
> Email: Teh.Albert@xxxxxxxxx
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
begin:vcard
n:Grzemba;Carsten
fn:Carsten Grzemba
tel;cell:+49 171 9749479
tel;work:+49 3677 6474-0
org:contac Datentechnik GmbH
adr:;;Auf dem Steine 1;Ilmenau;;98693;
email;internet:carsten.grzemba@xxxxxxxxxxxx
version:2.1
end:vcard
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
