On 07/19/2011 08:55 PM, Josh Miller wrote: > On 7/12/2011 7:33 AM, Rich Megginson wrote: > > Hi Rich, thanks for the response. > >> On 07/11/2011 09:31 PM, Josh Miller wrote: >>> Using: >>> - 389 DS 8.1 >> 8.1???? Platform? rpm -qi 389-ds-base > > Name : centos-ds-base Relocations: (not relocatable) > Version : 8.1.0 Vendor: CentOS > Release : 0.14.el5.centos.2 Build Date: Thu 14 May > 2009 06:38:31 AM PDT > Install Date: Thu 03 Feb 2011 12:15:02 PM PST Build Host: > builder10.centos.org > Group : System Environment/Daemons Source RPM: > centos-ds-base-8.1.0-0.14.el5.centos.2.src.rpm > Size : 5117970 License: GPLv2 with > exceptions > Signature : DSA/SHA1, Tue 26 May 2009 03:33:09 PM PDT, Key ID > a8a447dce8562897 > URL : http://www.centos.org/ > Summary : CentOS Directory Server (base) > Description : > CentOS Directory Server is an LDAPv3 compliant server. The base > package includes > the LDAP server and command line utilities for server administration. 32-bit or 64-bit? > >>> - AD 2003/2008 >>> >>> >>> I am trying to sync from AD (one way) to 389 DS and getting the >>> following error: >>> >>> R00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, >>> data 0, vece. >>> >>> A tcpdump does not appear to reveal anything in the way of errors >> Could you post an excerpt from it? > > I've attached the portion of the package capture between the 3-way > hand-shake between the domain controller and when the directory server > begins sending it's entries back to the domain controller. I know tshark has a mode that can produce a hex dump along with a "printable" view. I need to see the hex dump. Can you also provide your centos-ds windows sync agreement entry? > >>> and I >>> got the above error from the packet capture. >>> >>> Any idea how to continue troubleshooting or resolve this issue? >>> >>> I can query AD via ldapsearch using the AD credential set that I have >>> configured in the sync agreement. >> 389 uses the AD DirSync Control for reading the list of changes. The >> bind DN you are using to connect to AD must have Replicator rights in >> order to use this control. > > I believe this has been done already, although I have no access to the > domain to verify this other than through LDAP. I have confirmed this > with the windows admin twice now to be sure. There is a python-ldap script you can use for testing. See https://github.com/richm/scripts/blob/master/dirsyncctrl.py You will have to edit the script to provide your windows sync DN, hostname, port, password, and suffix. Then run it like python dirsyncctrl.py > >>> Thanks, >> > > Thanks a lot, -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
