Re: [389-users] AD Sync Fails with: R00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, data 0, vece.

Josh Miller <joshua@xxxxxxxxxxxxxxxxx> · Tue, 19 Jul 2011 19:55:28 -0700

On 7/12/2011 7:33 AM, Rich Megginson wrote:

Hi Rich, thanks for the response.

On 07/11/2011 09:31 PM, Josh Miller wrote:
Using:
- 389 DS 8.1
8.1???? Platform? rpm -qi 389-ds-base

Name        : centos-ds-base               Relocations: (not relocatable)
Version     : 8.1.0                             Vendor: CentOS
Release     : 0.14.el5.centos.2             Build Date: Thu 14 May 2009 
06:38:31 AM PDT
Install Date: Thu 03 Feb 2011 12:15:02 PM PST      Build Host: 
builder10.centos.org
Group       : System Environment/Daemons    Source RPM: 
centos-ds-base-8.1.0-0.14.el5.centos.2.src.rpm
Size        : 5117970                          License: GPLv2 with 
exceptions
Signature   : DSA/SHA1, Tue 26 May 2009 03:33:09 PM PDT, Key ID 
a8a447dce8562897
URL         : http://www.centos.org/
Summary     : CentOS Directory Server (base)
Description :
CentOS Directory Server is an LDAPv3 compliant server.  The base package 
includes
the LDAP server and command line utilities for server administration.

- AD 2003/2008

I am trying to sync from AD (one way) to 389 DS and getting the
following error:

R00002105: LdapErr: DSID-0C0907C9, comment: Error processing control,
data 0, vece.

A tcpdump does not appear to reveal anything in the way of errors
Could you post an excerpt from it?

I've attached the portion of the package capture between the 3-way 
hand-shake between the domain controller and when the directory server 
begins sending it's entries back to the domain controller.

and I
got the above error from the packet capture.

Any idea how to continue troubleshooting or resolve this issue?

I can query AD via ldapsearch using the AD credential set that I have
configured in the sync agreement.
389 uses the AD DirSync Control for reading the list of changes. The
bind DN you are using to connect to AD must have Replicator rights in
order to use this control.

I believe this has been done already, although I have no access to the 
domain to verify this other than through LDAP.  I have confirmed this 
with the windows admin twice now to be sure.

Thanks,

Thanks a lot,
--
Josh Miller
Open Source Solutions Architect
http://itsecureadmin.com/
19:08:02.525052 IP 192.168.0.1.51339 > 192.168.0.2.ldap: P 1:81(80) ack 1 win 46 <nop,nop,timestamp 1113041590 0>
E....q@.@...
...CZ.......|8.5n......
......
BW......0N...`I....:cn=fake-user,cn=users,dc=example,dc=com..password
19:08:02.568370 IP 192.168.0.2.ldap > 192.168.0.1.51339: P 1:23(22) ack 81 win 16720 <nop,nop,timestamp 4569217 1113041547>
E..JS3@xxxxxxx..
.......5n...|95..AP.......
.E..BW..0........a.....
......
19:08:02.568380 IP 192.168.0.1.51339 > 192.168.0.2.ldap: . ack 23 win 46 <nop,nop,timestamp 1113041633 4569217>
E..4.r@.@...
...CZ.......|955n.............
BW...E..
19:08:02.570021 IP 192.168.0.1.51339 > 192.168.0.2.ldap: P 81:197(116) ack 23 win 46 <nop,nop,timestamp 1113041634 4569217>
E....s@.@...
...CZ.......|955n......
......
BW...E..0r...c>..dc=example,dc=com
..
.............objectclass0..-0+..1.2.840.113556.1.4.841.....0.............
19:08:02.616088 IP 192.168.0.2.ldap > 192.168.0.1.51339: P 23:127(104) ack 197 win 16604 <nop,nop,timestamp 4569217 1113041634>
E...S4@xxxxxxx..
.......5n...|9...@..z.....
.E..BW..0....b...e....Y
.2...R00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, data 0, vece.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users