Hi,
there was some people in the past who are interested in the code. So I guess it is a good idea to set up a repro on github, or some where.
But I can't do this before June, 9th.
Is this ok for you?
Regards Carsten
----- Ursprüngliche Nachricht -----
Von: Albert Teh <teh.albert@xxxxxxxxx>
Datum: Freitag, 3. Juni 2011, 17:58
Betreff: Re: [389-users] Windows Sync Agreement Help
An: Rich Megginson <rmeggins@xxxxxxxxxx>
Cc: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> Thanks Rich for your information.
>
> I found this:
> [389-users] Sync uidNumber between AD and directory server
Carsten Grzemba
grzemba at contac-dt.de
> Fri Mar 18 07:24:12 UTC 2011
- > Previous message: [389-users] Sync uidNumber between AD and directory server
- > Next message: [389-users] Sync uidNumber between AD and directory server
- > Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
-----------------------------------------------------------
> Hi,
>
> this is possible via a winsync plugin. With such a plugin you can sync and modify additional attributes.
> I have developed a plugin to sync Posix attributes for users and groups for AD 2008.
> If interested, I can make the code available
>
> Regards
> CarstenHi Carsten,
>
> Could your code available for me? It will be a great code.
>
> Thanks.
> Albert
>
>
> On Fri, Jun 3, 2011 at 11:11 AM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:
>
On 06/03/2011 09:00 AM, Albert Teh wrote:
Great News.
>
After talked to the AD Administrator, assigned the user: mailadm
as a administrator. The Windows Sync is working. Thank you all for
the great help.
>
>
My next step is to get the Password Sync working.
>
> Need help again: 1) need to remap the attributes
synchronizing from the AD to the DS.
>
Is there any plugin for this process?
>
No. But there is a winsync plugin api, if you feel up to writing
some C code.
>
>
2) What password attribute is using on
the DS for the LDAP client's authencation?
>
I do not find the attribute:
userPassword from the AD to the DS
>
after the SYNC.
>
Right. Passwords are not synced initially. This is because both DS
and AD do not (by default anyway) store the original clear text
password - they store a hash of the password which is not
reversible. The only way to get passwords in sync is to change the
password. When the DS receives a clear text password, it will send
it to AD so that AD can compute whatever hashes or encryption keys
it needs to with the clear text password.
>
>
On the AD side, you must install the PassSync service on every
domain controller in order to intercept clear text password changes.
>
>
I realize this is a pain but
>
1) most organizations have a policy that passwords have to change
every 90 days or so, so the passwords will eventually be in sync -
you can always force a password change for those users of Windows
that need to access Linux and vice versa
>
2) Freeipa is working on cross domain trust between AD and Linux so
hopefully this problem will go away in the near future
>
> Thanks again for all the help.
>
Albert
>
>
>
On Fri, Jun 3, 2011 at 3:37 AM, <389-users-request@xxxxxxxxxxxxxxxxxxxxxxx>
wrote:
> Send 389-users mailing list submissions to
>
389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
>
To subscribe or unsubscribe via the World Wide Web, visit
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>
or, via email, send a message with subject or body 'help' to
>
389-users-request@xxxxxxxxxxxxxxxxxxxxxxx
>
>
You can reach the person managing the list at
>
389-users-owner@xxxxxxxxxxxxxxxxxxxxxxx
>
>
When replying, please edit your Subject line so it is more
specific
>
than "Re: Contents of 389-users digest..."
>
>
>
Today's Topics:
>
>
1. ds-admin script/package (Danny Wall)
>
2. Re: ds-admin script/package (solarflow99)
>
3. Re: ds-admin script/package (Danny Wall)
>
4. Re: ds-admin script/package (solarflow99)
>
5. Re: ds-admin script/package (Danny Wall)
>
6. Re: ds-admin script/package (Rich Megginson)
>
7. Re: Windows Sync Agreement Help (Carsten Grzemba)
>
>
>
----------------------------------------------------------------------
>
>
Message: 1
>
Date: Thu, 2 Jun 2011 16:40:37 -0400
>
From: Danny Wall <dwall72@xxxxxxxxx>
>
Subject: [389-users] ds-admin script/package
>
To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
Message-ID: <BANLkTi=kzFoCphzp1a1ckniuwumRTUnH-w@xxxxxxxxxxxxxx>
>
Content-Type: text/plain; charset="iso-8859-1"
>
>
I am setting up three RHEL 6 servers and am unable to find the
packages or
>
scripts to install the admin console. In CentOS 5.5 and the
389 project, the
>
packages are available, and I see references to setup-ds-admin.pl in RHEL 6
>
documentation and in searches. I have the dirsrv package
installed and a
>
couple LDAP instances configured, but I have to use generic
LDAP browsers
>
for administration and can not configure password policies,
etc. that appear
>
to require the admin console or web page.
>
>
Can anyone point me to the missing link?
>
>
Thanks
>
-------------- next part --------------
>
An HTML attachment was scrubbed...
>
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/c3418661/attachment-0001.html
>
>
------------------------------
>
>
Message: 2
>
Date: Thu, 2 Jun 2011 16:56:52 -0400
>
From: solarflow99 <solarflow99@xxxxxxxxx>
>
Subject: Re: [389-users] ds-admin script/package
>
To: "General discussion list for the 389 Directory server
project."
>
<389-users@xxxxxxxxxxxxxxxxxxxxxxx>
>
Message-ID: <BANLkTinV443CJfUCBnXeoQXfeh2uTWAPhw@xxxxxxxxxxxxxx>
>
Content-Type: text/plain; charset="iso-8859-1"
>
>
There are several RPM's involved, what repo and yum command
did you use?
>
>
>
2011/6/2 Danny Wall <dwall72@xxxxxxxxx>
>
>
> I am setting up three RHEL 6 servers and am unable to
find the packages or
>
> scripts to install the admin console. In CentOS 5.5 and
the 389 project, the
>
> packages are available, and I see references to setup-ds-admin.pl in RHEL
>
> 6 documentation and in searches. I have the dirsrv
package installed and a
>
> couple LDAP instances configured, but I have to use
generic LDAP browsers
>
> for administration and can not configure password
policies, etc. that appear
>
> to require the admin console or web page.
>
>
>
> Can anyone point me to the missing link?
>
>
>
> Thanks
>
>
>
>
>
> --
>
> 389 users mailing list
>
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
-------------- next part --------------
>
An HTML attachment was scrubbed...
>
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/59f5428b/attachment-0001.html
>
>
------------------------------
>
>
Message: 3
>
Date: Thu, 2 Jun 2011 17:01:36 -0400
>
From: Danny Wall <dwall72@xxxxxxxxx>
>
Subject: Re: [389-users] ds-admin script/package
>
To: "General discussion list for the 389 Directory server
project."
>
<389-users@xxxxxxxxxxxxxxxxxxxxxxx>
>
Message-ID: <BANLkTimNg3HGJZgvLO6MdRB-LiQBAsfAMw@xxxxxxxxxxxxxx>
>
Content-Type: text/plain; charset="iso-8859-1"
>
>
I first tried to the default rhel 6 repo then tried adding the
epel 6 repo.
>
>
Thanks
>
On Jun 2, 2011 4:57 PM, "solarflow99" <solarflow99@xxxxxxxxx> wrote:
>
> There are several RPM's involved, what repo and yum
command did you use?
>
>
>
>
>
> 2011/6/2 Danny Wall <dwall72@xxxxxxxxx>
>
>
>
>> I am setting up three RHEL 6 servers and am unable to
find the packages
>
or
>
>> scripts to install the admin console. In CentOS 5.5
and the 389 project,
>
the
>
>> packages are available, and I see references to setup-ds-admin.pl in RHEL
>
>> 6 documentation and in searches. I have the dirsrv
package installed and
>
a
>
>> couple LDAP instances configured, but I have to use
generic LDAP browsers
>
>> for administration and can not configure password
policies, etc. that
>
appear
>
>> to require the admin console or web page.
>
>>
>
>> Can anyone point me to the missing link?
>
>>
>
>> Thanks
>
>>
>
>>
>
>> --
>
>> 389 users mailing list
>
>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>>
>
-------------- next part --------------
>
An HTML attachment was scrubbed...
>
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/7ac1b8cf/attachment-0001.html
>
>
------------------------------
>
>
Message: 4
>
Date: Thu, 2 Jun 2011 17:11:13 -0400
>
From: solarflow99 <solarflow99@xxxxxxxxx>
>
Subject: Re: [389-users] ds-admin script/package
>
To: "General discussion list for the 389 Directory server
project."
>
<389-users@xxxxxxxxxxxxxxxxxxxxxxx>
>
Message-ID: <BANLkTikoc5p3WRQSoJO3toL28-wkzc+anQ@xxxxxxxxxxxxxx>
>
Content-Type: text/plain; charset="iso-8859-1"
>
>
good, epel is the one to use. Did you use yum install 389-ds
? that will
>
pull in the whole thing.
>
>
>
>
>
2011/6/2 Danny Wall <dwall72@xxxxxxxxx>
>
>
> I first tried to the default rhel 6 repo then tried
adding the epel 6 repo.
>
>
>
>
>
> Thanks
>
> On Jun 2, 2011 4:57 PM, "solarflow99" <solarflow99@xxxxxxxxx> wrote:
>
> > There are several RPM's involved, what repo and yum
command did you use?
>
> >
>
> >
>
> > 2011/6/2 Danny Wall <dwall72@xxxxxxxxx>
>
> >
>
> >> I am setting up three RHEL 6 servers and am
unable to find the packages
>
> or
>
> >> scripts to install the admin console. In CentOS
5.5 and the 389 project,
>
> the
>
> >> packages are available, and I see references to
setup-ds-admin.pl in
>
> RHEL
>
> >> 6 documentation and in searches. I have the
dirsrv package installed and
>
> a
>
> >> couple LDAP instances configured, but I have to
use generic LDAP
>
> browsers
>
> >> for administration and can not configure
password policies, etc. that
>
> appear
>
> >> to require the admin console or web page.
>
> >>
>
> >> Can anyone point me to the missing link?
>
> >>
>
> >> Thanks
>
> >>
>
> >>
>
> >> --
>
> >> 389 users mailing list
>
> >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> >>
>
>
>
> --
>
> 389 users mailing list
>
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
-------------- next part --------------
>
An HTML attachment was scrubbed...
>
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/d5c1f43a/attachment-0001.html
>
>
------------------------------
>
>
Message: 5
>
Date: Thu, 2 Jun 2011 17:14:59 -0400
>
From: Danny Wall <dwall72@xxxxxxxxx>
>
Subject: Re: [389-users] ds-admin script/package
>
To: "General discussion list for the 389 Directory server
project."
>
<389-users@xxxxxxxxxxxxxxxxxxxxxxx>
>
Message-ID: <BANLkTin08GVsHrwh6EZV0ZdchXUKcwchsw@xxxxxxxxxxxxxx>
>
Content-Type: text/plain; charset="iso-8859-1"
>
>
I may have used 389 base. I will try it later without the
base. Thanks
>
On Jun 2, 2011 5:11 PM, "solarflow99" <solarflow99@xxxxxxxxx> wrote:
>
> good, epel is the one to use. Did you use yum install
389-ds ? that will
>
> pull in the whole thing.
>
>
>
>
>
>
>
>
>
> 2011/6/2 Danny Wall <dwall72@xxxxxxxxx>
>
>
>
>> I first tried to the default rhel 6 repo then tried
adding the epel 6
>
repo.
>
>>
>
>>
>
>> Thanks
>
>> On Jun 2, 2011 4:57 PM, "solarflow99" <solarflow99@xxxxxxxxx> wrote:
>
>> > There are several RPM's involved, what repo and
yum command did you
>
use?
>
>> >
>
>> >
>
>> > 2011/6/2 Danny Wall <dwall72@xxxxxxxxx>
>
>> >
>
>> >> I am setting up three RHEL 6 servers and am
unable to find the
>
packages
>
>> or
>
>> >> scripts to install the admin console. In
CentOS 5.5 and the 389
>
project,
>
>> the
>
>> >> packages are available, and I see references
to setup-ds-admin.pl in
>
>> RHEL
>
>> >> 6 documentation and in searches. I have the
dirsrv package installed
>
and
>
>> a
>
>> >> couple LDAP instances configured, but I have
to use generic LDAP
>
>> browsers
>
>> >> for administration and can not configure
password policies, etc. that
>
>> appear
>
>> >> to require the admin console or web page.
>
>> >>
>
>> >> Can anyone point me to the missing link?
>
>> >>
>
>> >> Thanks
>
>> >>
>
>> >>
>
>> >> --
>
>> >> 389 users mailing list
>
>> >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
>> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>> >>
>
>>
>
>> --
>
>> 389 users mailing list
>
>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>>
>
-------------- next part --------------
>
An HTML attachment was scrubbed...
>
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/7ab1793d/attachment-0001.html
>
>
------------------------------
>
>
Message: 6
>
Date: Thu, 02 Jun 2011 15:18:02 -0600
>
From: Rich Megginson <rmeggins@xxxxxxxxxx>
>
Subject: Re: [389-users] ds-admin script/package
>
To: "General discussion list for the 389 Directory server
project."
>
<389-users@xxxxxxxxxxxxxxxxxxxxxxx>
>
Message-ID: <4DE7FE0A.9020806@xxxxxxxxxx>
>
Content-Type: text/plain; charset="iso-8859-1"
>
>
On 06/02/2011 03:14 PM, Danny Wall wrote:
>
>
>
> I may have used 389 base. I will try it later without the
base. Thanks
>
>
>
389-ds-base is in the base RHEL 6.1 OS. None of the other 389
packages
>
such as 389-admin are available yet. I'm in the process of
building
>
them now for EPEL6. setup-ds.pl is
provided by the 389-ds-base
>
package. setup-ds-admin.pl
is provided by the 389-admin package.
>
> On Jun 2, 2011 5:11 PM, "solarflow99" <solarflow99@xxxxxxxxx
>
> <mailto:solarflow99@xxxxxxxxx>>
wrote:
>
> > good, epel is the one to use. Did you use yum
install 389-ds ? that will
>
> > pull in the whole thing.
>
> >
>
> >
>
> >
>
> >
>
> > 2011/6/2 Danny Wall <dwall72@xxxxxxxxx
<mailto:dwall72@xxxxxxxxx>>
>
> >
>
> >> I first tried to the default rhel 6 repo then
tried adding the epel
>
> 6 repo.
>
> >>
>
> >>
>
> >> Thanks
>
> >> On Jun 2, 2011 4:57 PM, "solarflow99" <solarflow99@xxxxxxxxx
>
> <mailto:solarflow99@xxxxxxxxx>>
wrote:
>
> >> > There are several RPM's involved, what repo
and yum command did
>
> you use?
>
> >> >
>
> >> >
>
> >> > 2011/6/2 Danny Wall <dwall72@xxxxxxxxx <mailto:dwall72@xxxxxxxxx>>
>
> >> >
>
> >> >> I am setting up three RHEL 6 servers
and am unable to find the
>
> packages
>
> >> or
>
> >> >> scripts to install the admin console.
In CentOS 5.5 and the 389
>
> project,
>
> >> the
>
> >> >> packages are available, and I see
references to
>
> setup-ds-admin.pl
<http://setup-ds-admin.pl> in
>
> >> RHEL
>
> >> >> 6 documentation and in searches. I have
the dirsrv package
>
> installed and
>
> >> a
>
> >> >> couple LDAP instances configured, but I
have to use generic LDAP
>
> >> browsers
>
> >> >> for administration and can not
configure password policies, etc.
>
> that
>
> >> appear
>
> >> >> to require the admin console or web
page.
>
> >> >>
>
> >> >> Can anyone point me to the missing
link?
>
> >> >>
>
> >> >> Thanks
>
> >> >>
>
> >> >>
>
> >> >> --
>
> >> >> 389 users mailing list
>
> >> >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
>
> >> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> >> >>
>
> >>
>
> >> --
>
> >> 389 users mailing list
>
> >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
> <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
>
> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> >>
>
>
>
>
>
> --
>
> 389 users mailing list
>
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
-------------- next part --------------
>
An HTML attachment was scrubbed...
>
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110602/60f0ddb1/attachment-0001.html
>
>
------------------------------
>
>
Message: 7
>
Date: Fri, 03 Jun 2011 09:37:08 +0200
>
From: Carsten Grzemba <grzemba@xxxxxxxxxxxx>
>
Subject: Re: [389-users] Windows Sync Agreement Help
>
To: "General discussion list for the 389 Directory server
project."
>
<389-users@xxxxxxxxxxxxxxxxxxxxxxx>
>
Message-ID: <fc54d5723506.4de8ab44@xxxxxxxxxxxx>
>
Content-Type: text/plain; charset="iso-8859-1"
>
>
>
>
----- Urspr?ngliche Nachricht -----
>
Von: Rich Megginson <rmeggins@xxxxxxxxxx>
>
Datum: Mittwoch, 1. Juni 2011, 18:05
>
Betreff: Re: [389-users] Windows Sync Agreement Help
>
An: Albert Teh <teh.albert@xxxxxxxxx>
>
Cc: "General discussion list for the 389 Directory server
project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
>
>
>
>
>
>
>
>
>
>
>
>
On 06/01/2011 09:21 AM, Albert Teh wrote:
>
>
>
The user: mailadm should have a full privilege from
>
the AD because we are using this user for SUN's IDSYNC
>
synchronizing/passwdsyc from the AD to the SUN's DS which
is our
>
current LDAP environment. We are trying to change SUN's
Directory
>
server to the Linux's 389-Directory server.
>
>
>
No, its not true in general, Suns Idsync needs only a normal
user, if you sync only from AD to DS. The user for Suns Idsync
needs only additional privileges for see the 'deleted objects'
container for syncing the object deletion. It do not use the
dirsync ldap control where you need the Replication/Replicator
rights
>
>
Regards, Carsten
>
>
>
>
>
>
Ok.? I don't know how Sun's IDSYNC works - it is possible
it doesn't
>
use the DirSync control which requires Replicator
privileges.? Can
>
you confirm that
>
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
has
>
Replication/Replicator rights in AD/Windows?
>
>
>
>
>
>
>
?
>
>
>
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>
has Replication/Replicator rights in AD/Windows?
>
>
>
>
>
>
Thanks.
>
>
>
Albert
>
>
>
>
>
> On Wed, Jun 1, 2011 at 10:12 AM, Rich
>
Megginson <rmeggins@xxxxxxxxxx>
>
wrote:
>
>
>
>
>
> On 05/31/2011 06:30 PM, Albert Teh wrote:
>
>
>
>
>
>
> On Tue, May 31, 2011 at 2:58
>
PM, Rich Megginson <rmeggins@xxxxxxxxxx>
>
wrote:
>
>
>
>
> On 05/31/2011 12:49 PM, Albert
Teh wrote:
>
>
> Hi Rich,
>
>
>
>
>
> Sorry, What I understand doing
the
>
OneWay Sync from the AD to the DS
>
>
>
>
>
>
Users in the Active Directory
domain are
>
synced if it is configured in the
sync
>
agreement by selecting the Sync
>
New Windows Users option. All
>
of the Windows users are copied to
the
>
Directory Server when
synchronization is
>
initiated and then new users are
synced over
>
when they are created.
>
>
>
>
>
>
I do not need to do any AD to DS
Group Sync
>
>
>
>
>
>
and I am not doing any DS sync to
the AD.
>
>
>
>
>
/usr/lib/mozldap/ldapsearch -x -h wodcstage-1.ottawa.ad.algonquincollege.com
>
-w - -D
>
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>
-s base -b "" "objectclass=*"
>
>
>
>
>
>
You should get the contents of the AD
>
>
>
>
>
>
/usr/lib/mozldap/ldapsearch -x -h wodcstage-1.ottawa.ad.algonquincollege.com
>
-w - -D
>
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>
-s sub -b
>
"cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>
"objectclass=person"
>
>
>
>
>
>
you should get the list of users
>
>
>
>
>
>
>
>
>
>
>
Thanks.
>
>
>
Al
>
>
>
>
>
> On Tue, May 31,
>
2011 at 1:40 PM, Rich Megginson
<rmeggins@xxxxxxxxxx>
>
wrote:
>
>
>
>
> On 05/31/2011 10:30
AM, Albert
>
Teh wrote:
>
>
>
>
HI Rich,
>
>
>
>
>
>
[root@algldap ~]#
>
/usr/lib/mozldap/ldapsearch -x
>
-w - -D cn="Directory
Manager"
>
-b
>
"ou=People,dc=algonquincollege,dc=com"
>
"(|(objectclass=ntuser)(objectclass=ntgroup))"
>
>
>
Enter bind password:
>
>
>
[root@algldap ~]#
>
>
>
>
>
>
No Entry found !!!.
>
>
>
>
>
You have to tell directory
server
>
which entries you want to
sync.
>
>
>
See http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
>
>
>
>
>
>
Thanks.
>
>
>
Albert
>
>
>
>
>
> On
>
Tue, May 31, 2011
at 11:42
>
AM, Rich Megginson
<rmeggins@xxxxxxxxxx>
>
wrote:
>
>
>
>
> On
05/30/2011
>
08:32 AM,
Albert Teh
>
wrote:
>
> Hi
>
Rich,
>
>
>
>
>
> I
followed the
>
Guide and
still got
>
the same
result.
>
Checked
with? the AD
>
administrator, the
>
AD's user:
mailadm
>
has a full
>
privilege.
>
>
>
>
>
/usr/bin/ldapsearch -x
>
-w - -D
cn="Directory
>
Manager"-b
>
"ou=People,dc=algonquincollege,dc=com"
>
"(|(objectclass=ntuser)(objectclass=ntgroup))"
>
>
>
>
>
>
How many
entries match
>
that search?
>
>
>
>
>
>
>
>
Thanks.
>
>
>
Albert
>
>
>
? ?
>
>
>
Here is
the
>
Windows
Sync
>
Agreement
info:
>
>
>
>
>
>
[root@algldap
>
slapd-algldap]#
>
/usr/lib/mozldap/ldapsearch
>
-w - -D
>
cn="Directory
>
Manager"
-b
>
cn=config
>
cn=ADSync
>
>
>
Enter
bind
>
password:
>
>
>
version:
1
>
>
>
dn:
>
cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
>
tree,c
>
>
>
?n=config
>
>
>
objectClass: top
>
>
>
objectClass:
>
nsDSWindowsReplicationAgreement
>
>
>
description: AD
>
Sync
Agreement
>
>
>
cn:
ADSync
>
>
>
nsds7WindowsReplicaSubtree:
>
>
cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=co
>
>
>
?m
>
>
>
nsds7DirectoryReplicaSubtree:
>
>
ou=People,
>
dc=algonquincollege,dc=com
>
>
>
nsds7NewWinUserSyncEnabled:
>
on
>
>
>
nsds7NewWinGroupSyncEnabled:
>
>
on
>
>
>
nsds7WindowsDomain:
>
ottawa.ad.algonquincollege.com
>
>
>
nsDS5ReplicaRoot:
>
dc=algonquincollege,dc=com
>
>
>
nsDS5ReplicaHost:
>
wodcstage-1.ottawa.ad.algonquincollege.com
>
>
>
nsDS5ReplicaPort:
>
389
>
>
>
nsDS5ReplicaBindDN:
>
>
cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc
>
>
>
?=com
>
>
>
nsDS5ReplicaBindMethod:
>
SIMPLE
>
>
>
nsDS5ReplicaCredentials:
>
>
{DES}U68ooQM3C15xjJ/taDmy0A==
>
>
>
nsds5replicareapactive:
>
0
>
>
>
nsds5replicaLastUpdateStart:
>
>
20110530141648Z
>
>
>
nsds5replicaLastUpdateEnd:
>
>
20110530141648Z
>
>
>
nsds5replicaChangesSentSinceStartup:
>
>
>
nsds5replicaLastUpdateStatus:
>
>
0 Replica
acquired
>
successfully:
>
Incremental upd
>
>
>
?ate
succeeded
>
>
>
nsds5replicaUpdateInProgress:
>
>
FALSE
>
>
>
nsds5replicaLastInitStart:
>
>
20110530140648Z
>
>
>
nsds5replicaLastInitEnd:
>
>
20110530140648Z
>
>
>
nsds5replicaLastInitStatus:
>
0 Total
update
>
succeeded
>
>
>
[root@algldap
>
slapd-algldap]#
>
>
>
>
>
>
>
>
>
>
>
> On
>
>
Fri,
May 27,
>
2011 at
10:57
>
AM,
Rich
>
Megginson <rmeggins@xxxxxxxxxx>
>
wrote:
>
>
>
>
>
On
>
05/27/2011
>
04:22
AM,
>
Albert Teh
>
wrote:
>
Hi
>
Rich,
>
>
>
>
>
>
I
reinstalled
>
389-ds-base
>
1.2.8.3 from
>
EPEL5
and
>
added
>
onewaysync set
>
as
fromWindows
>
in
the
>
multimaster
>
replication
>
plugin. I
>
still
got the
>
same
result
>
with
no user
>
created in the
>
DS
subtree.
>
>
>
>
>
Have
you read
>
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
>
>
>
>
>
>
>
>
Errors log:
>
>
>
>
>
>
[27/May/2011:06:18:26
>
>
-0400]
>
NSMMReplicationPlugin
>
-
Beginning
>
total
update
>
of
replica
>
"agmt="cn=ADSync"
>
(wodcstage-1:389)".
>
>
>
[27/May/2011:06:18:26
>
>
-0400]
>
NSMMReplicationPlugin
>
-
Finished
>
total
update
>
of
replica
>
"agmt="cn=ADSync"
>
(wodcstage-1:389)".
>
>
Sent
0
>
entries.
>
>
>
>
>
>
>
>
>
Access log:
>
>
>
>
>
>
[27/May/2011:06:18:29
>
>
-0400] conn=1
>
op=114 SRCH
>
base="cn=ADSync,cn=replica,cn=dc\3Dalgonquincollege\2Cdc\3Dcom,cn=mapping
>
>
>
>
>
>
tree,cn=config"
>
>
scope=0
>
filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>
attrs="nsds5replicaLastUpdateStart
>
>
>
>
nsds5replicaLastUpdateEnd
>
>
>
nsds5replicaChangesSentSinceStartup
>
>
>
nsds5replicaLastUpdateStatus
>
>
>
nsds5replicaUpdateInProgress
>
>
>
nsds5replicaLastInitStart
>
>
>
nsds5replicaLastInitEnd
>
>
>
nsds5replicaLastInitStatus
>
nsds5BeginReplicaRefresh"
>
>
>
[27/May/2011:06:18:29
>
>
-0400] conn=1
>
op=114 RESULT
>
err=0
tag=101
>
nentries=1
>
etime=
>
>
>
>
>
>
Thanks for
>
your
help.
>
>
>
>
>
>
Albert
>
>
>
>
>
>
>
>
>
>
>
>
On
>
>
>
Thu,
May 26,
>
2011
at 11:13
>
AM,
Rich
>
Megginson <rmeggins@xxxxxxxxxx>
>
wrote:
>
>
>
>
>
On
>
05/26/2011
>
08:58
AM,
>
Albert Teh
>
wrote:
>
Hi,
>
>
>
>
>
>
We
are setting
>
up a
new
>
CENTOS-DS
>
version 8.1.0.
>
and
CENTOS 5.5
>
and
attempt to
>
synchronize
>
with
the
>
existing 2003
>
Windows AD
>
server.
>
>
>
Performing?
>
the
full sync
>
completed.
>
There
is no
>
user
created
>
in
the DS
>
subtree.
>
>
>
>
>
>
We
would like
>
to
perform one
>
way
Sync:? AD
>
----> DS.
>
Once
it works,
>
we
will set up
>
the
password
>
Sync
from the
>
AD to
DS.
>
>
>
>
>
One
way sync
>
isn't
>
supported with
>
8.1.0.? I
>
suggest using
>
389-ds-base
>
1.2.8.3 from
>
EPEL5
which
>
does
support
>
one
way sync.?
>
http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync
>
>
>
>
>
>
>
AD:??
>
cn=Users,cn=location,dc=ad,dc=domain,dc=com
>
>
>
DS:??
>
ou=Peoples,dc=domain,dc=com
>
>
>
>
>
>
errors log:
>
>
>
>
>
>
>
>
>
[26/May/2011:10:20:34
>
>
>
-0400]
>
NSMMReplicationPlugin
>
-
Beginning
>
total
update
>
of
replica
>
"agmt="cn=ADsync"
>
(wodcstage-1:389)".
>
>
>
[26/May/2011:10:20:34
>
>
>
-0400]
>
NSMMReplicationPlugin
>
-
Finished
>
total
update
>
of
replica
>
"agmt="cn=ADsync"
>
(wodcstage-1:389)".
>
>
>
Sent
0
>
entries.
>
>
>
>
>
>
access log:
>
>
>
>
>
>
26/May/2011:10:20:37
>
>
>
-0400] conn=11
>
op=819 SRCH
>
base="cn=ADsync,
>
cn=replica,
>
cn=\22dc=algonquincollege,
>
dc=com\22,
>
cn=mapping
>
tree,
>
cn=config"
>
scope=0
>
filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>
attrs="nsds5replicaLastUpdateStart
>
>
>
>
>
nsds5replicaLastUpdateEnd
>
>
>
>
nsds5replicaChangesSentSinceStartup
>
>
>
>
nsds5replicaLastUpdateStatus
>
>
>
>
nsds5replicaUpdateInProgress
>
>
>
>
nsds5replicaLastInitStart
>
>
>
>
nsds5replicaLastInitEnd
>
nsds5replicaLastInitStatus
>
nsds5BeginReplicaRefresh"
>
>
>
[26/May/2011:10:20:37
>
>
>
-0400] conn=11
>
op=819 RESULT
>
err=0
tag=101
>
nentries=1
>
etime=0
>
>
>
>
>
>
>
>
>
Thanks.
>
>
>
Albert
>
>
>
>
>
>
>
>
>
>
>
> --
>
> 389 users mailing list
>
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
>
>
>
Albert Teh
>
>
>
Email: Teh.Albert@xxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
>
>
>
Albert
Teh
>
>
>
Email:
Teh.Albert@xxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
>
>
>
Albert Teh
>
>
>
Email:
Teh.Albert@xxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
>
>
>
Albert Teh
>
>
>
Email: Teh.Albert@xxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
HI Rich,
>
>
>
>
>
>
These two commands worked and got the
result. I
>
have been gone through? the Windows Sync
agreement
>
setup for many times. I could not figure
out what
>
went wrong.
>
>
>
Thanks a lot for your help again.
>
>
>
>
>
>
>
>
Are you sure that the user
>
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>
has Replication/Replicator rights in AD/Windows?
>
>
>
>
>
>
>
>
>
>
Albert
>
>
>
?
>
>
>
>
>
/usr/lib/mozldap/ldapsearch -x -h wodcstage-1.ottawa.ad.algonquincollege.com
>
-w - -D "cn=mailadm,cn=Users,dc=[root@algldap
~]#
>
/usr/lib/mozldap/ldapsearch -x -h wodcstage-1.ottawa.ad.algonquincollege.com
>
-w - -D
>
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>
-s base -b ""
>
"objectclass=*"??????????????????????????????????????????
>
Enter bind password:
>
>
>
version: 1
>
>
>
dn:
>
>
>
currentTime: 20110601001342.0Z
>
>
>
subschemaSubentry:
>
CN=Aggregate,CN=Schema,CN=Configuration,DC=ad,DC=algonquinc
>
>
>
?ollege,DC=com
>
>
>
dsServiceName: CN=NTDS
>
Settings,CN=WODCSTAGE-1,CN=Servers,CN=Default-First-Sit
>
>
>
?e-Name,CN=Sites,CN=Configuration,DC=ad,DC=algonquincollege,DC=com
>
>
>
namingContexts:
>
CN=Configuration,DC=ad,DC=algonquincollege,DC=com
>
>
>
namingContexts:
>
CN=Schema,CN=Configuration,DC=ad,DC=algonquincollege,DC=com
>
>
>
namingContexts:
>
DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>
>
>
defaultNamingContext:
>
DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>
>
>
schemaNamingContext:
>
CN=Schema,CN=Configuration,DC=ad,DC=algonquincollege,DC=c
>
>
>
?om
>
>
>
configurationNamingContext:
>
CN=Configuration,DC=ad,DC=algonquincollege,DC=com
>
>
>
rootDomainNamingContext:
>
DC=ad,DC=algonquincollege,DC=com
>
>
>
supportedControl: 1.2.840.113556.1.4.319
>
>
>
supportedControl: 1.2.840.113556.1.4.801
>
>
>
supportedControl: 1.2.840.113556.1.4.473
>
>
>
supportedControl: 1.2.840.113556.1.4.528
>
>
>
supportedControl: 1.2.840.113556.1.4.417
>
>
>
supportedControl: 1.2.840.113556.1.4.619
>
>
>
supportedControl: 1.2.840.113556.1.4.841
>
>
>
supportedControl: 1.2.840.113556.1.4.529
>
>
>
supportedControl: 1.2.840.113556.1.4.805
>
>
>
supportedControl: 1.2.840.113556.1.4.521
>
>
>
supportedControl: 1.2.840.113556.1.4.970
>
>
>
supportedControl: 1.2.840.113556.1.4.1338
>
>
>
supportedControl: 1.2.840.113556.1.4.474
>
>
>
supportedControl: 1.2.840.113556.1.4.1339
>
>
>
supportedControl: 1.2.840.113556.1.4.1340
>
>
>
supportedControl: 1.2.840.113556.1.4.1413
>
>
>
supportedControl: 2.16.840.1.113730.3.4.9
>
>
>
supportedControl: 2.16.840.1.113730.3.4.10
>
>
>
supportedControl: 1.2.840.113556.1.4.1504
>
>
>
supportedControl: 1.2.840.113556.1.4.1852
>
>
>
supportedControl: 1.2.840.113556.1.4.802
>
>
>
supportedControl: 1.2.840.113556.1.4.1907
>
>
>
supportedControl: 1.2.840.113556.1.4.1948
>
>
>
supportedLDAPVersion: 3
>
>
>
supportedLDAPVersion: 2
>
>
>
supportedLDAPPolicies: MaxPoolThreads
>
>
>
supportedLDAPPolicies: MaxDatagramRecv
>
>
>
supportedLDAPPolicies: MaxReceiveBuffer
>
>
>
supportedLDAPPolicies: InitRecvTimeout
>
>
>
supportedLDAPPolicies: MaxConnections
>
>
>
supportedLDAPPolicies: MaxConnIdleTime
>
>
>
supportedLDAPPolicies: MaxPageSize
>
>
>
supportedLDAPPolicies: MaxQueryDuration
>
>
>
supportedLDAPPolicies: MaxTempTableSize
>
>
>
supportedLDAPPolicies: MaxResultSetSize
>
>
>
supportedLDAPPolicies: MaxNotificationPerConn
>
>
>
supportedLDAPPolicies: MaxValRange
>
>
>
highestCommittedUSN: 3103418
>
>
>
supportedSASLMechanisms: GSSAPI
>
>
>
supportedSASLMechanisms: GSS-SPNEGO
>
>
>
supportedSASLMechanisms: EXTERNAL
>
>
>
supportedSASLMechanisms: DIGEST-MD5
>
>
>
dnsHostName: WODCStage-1.ottawa.ad.algonquincollege.com
>
>
>
ldapServiceName:
ad.algonquincollege.com:wodcstage-1$@OTTAWA.AD.ALGONQUINCOLLE
>
>
>
?GE.COM
>
>
>
serverName:
>
CN=WODCSTAGE-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
>
>
>
?onfiguration,DC=ad,DC=algonquincollege,DC=com
>
>
>
supportedCapabilities: 1.2.840.113556.1.4.800
>
>
>
supportedCapabilities:
1.2.840.113556.1.4.1670
>
>
>
supportedCapabilities:
1.2.840.113556.1.4.1791
>
>
>
isSynchronized: TRUE
>
>
>
isGlobalCatalogReady: TRUE
>
>
>
domainFunctionality: 2
>
>
>
forestFunctionality: 2
>
>
>
domainControllerFunctionality: 2
>
>
>
[root@algldap ~]#
>
>
>
>
>
>
Partial out:
>
>
>
>
>
>
[root@algldap ~]# /usr/lib/mozldap/ldapsearch
-x -h wodcstage-1.ottawa.ad.algonquincollege.com
>
-w - -D
>
"cn=mailadm,cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>
-s sub -b
>
"cn=Users,dc=ottawa,dc=ad,dc=algonquincollege,dc=com"
>
"objectclass=person" | more
>
>
>
Enter bind password:
>
>
>
version: 1
>
>
>
dn:
>
CN=isp-transfer,CN=Users,DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>
>
>
objectClass: top
>
>
>
objectClass: person
>
>
>
objectClass: organizationalPerson
>
>
>
objectClass: user
>
>
>
cn: isp-transfer
>
>
>
description: Transfer for Genesis Data to
>
International Student Program share
>
>
>
givenName: isp-transfer
>
>
>
distinguishedName:
>
CN=isp-transfer,CN=Users,DC=ottawa,DC=ad,DC=algonquincolleg
>
>
>
?e,DC=com
>
>
>
instanceType: 4
>
>
>
whenCreated: 20040517155823.0Z
>
>
>
whenChanged: 20081016173006.0Z
>
>
>
displayName: isp-transfer
>
>
>
uSNCreated: 255422
>
>
>
memberOf:
>
CN=NAS_Transfer_Genesis_ISP,OU=Groups,DC=ottawa,DC=ad,DC=algonquinco
>
>
>
?llege,DC=com
>
>
>
uSNChanged: 255422
>
>
>
name: isp-transfer
>
>
>
objectGUID:: EaeRW3KiMUac6hzEs//X/g==
>
>
>
userAccountControl: 66048
>
>
>
badPwdCount: 0
>
>
>
codePage: 0
>
>
>
countryCode: 0
>
>
>
badPasswordTime: 0
>
>
>
lastLogoff: 0
>
>
>
lastLogon: 0
>
>
>
pwdLastSet: 127292831041031250
>
>
>
primaryGroupID: 513
>
>
>
objectSid::
AQUAAAAAAAUVAAAArhyVdhR1dBOOfkA4DN8BAA==
>
>
>
accountExpires: 9223372036854775807
>
>
>
logonCount: 0
>
>
>
sAMAccountName: isp-transfer
>
>
>
sAMAccountType: 805306368
>
>
>
userPrincipalName: isp-transfer@xxxxxxxxxxxxxxxxxxxx
>
>
>
lockoutTime: 0
>
>
>
objectCategory:
>
CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=algonquincollege
>
>
>
?,DC=com
>
>
>
dSCorePropagationData: 20110131155635.0Z
>
>
>
dSCorePropagationData: 20091227191115.0Z
>
>
>
dSCorePropagationData: 20090127144505.0Z
>
>
>
dSCorePropagationData: 20081201175842.0Z
>
>
>
dSCorePropagationData: 16010714223649.0Z
>
>
>
lastLogonTimestamp: 128686221598537375
>
>
>
>
>
>
dn:
>
CN=heatweb,CN=Users,DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>
>
>
objectClass: top
>
>
>
objectClass: person
>
>
>
objectClass: organizationalPerson
>
>
>
objectClass: user
>
>
>
cn: heatweb
>
>
>
sn: heatweb
>
>
>
description: Used to communicate between HEAT
and IIS
>
>
>
distinguishedName:
>
CN=heatweb,CN=Users,DC=ottawa,DC=ad,DC=algonquincollege,DC=
>
>
>
?com
>
>
>
instanceType: 4
>
>
>
whenCreated: 20050218192725.0Z
>
>
>
whenChanged: 20081016172611.0Z
>
>
>
displayName: heatweb
>
>
>
uSNCreated: 89976
>
>
>
memberOf: CN=Heat
>
Users,OU=Groups,DC=ottawa,DC=ad,DC=algonquincollege,DC=com
>
>
>
uSNChanged: 89976
>
>
>
name: heatweb
>
>
>
objectGUID:: 07KJaAgkGUapXbQN7VprrQ==
>
>
>
userAccountControl: 66048
>
>
>
badPwdCount: 0
>
>
>
codePage: 0
>
>
>
countryCode: 0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
>
>
>
Albert Teh
>
>
>
Email: Teh.Albert@xxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
>
>
>
Albert Teh
>
>
>
Email: Teh.Albert@xxxxxxxxx
>
>
>
>
>
>
>
>
> --
>
> 389 users mailing list
>
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
>
A non-text attachment was scrubbed...
>
Name: grzemba.vcf
>
Type: text/x-vcard
>
Size: 233 bytes
>
Desc: Card for Carsten Grzemba <grzemba@xxxxxxxxxxxx>
>
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20110603/0a1d0dec/attachment.vcf
>
>
------------------------------
>
>
--
>
389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
End of 389-users Digest, Vol 73, Issue 7
>
****************************************
>
>
>
>
--
>
Albert Teh
>
Email: Teh.Albert@xxxxxxxxx
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> >
> --
> Albert Teh
> Email: Teh.Albert@xxxxxxxxx
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
begin:vcard n:Grzemba;Carsten fn:Carsten Grzemba tel;cell:+49 171 9749479 tel;work:+49 3677 6474-0 org:contac Datentechnik GmbH adr:;;Auf dem Steine 1;Ilmenau;;98693; email;internet:carsten.grzemba@xxxxxxxxxxxx version:2.1 end:vcard
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
