Hi William, Thanks for your reply. Sorry for incorrect message yesterday. My windows sync agreement exactly is: agreement1: >> DS Host: 389ds:389 > >> Windows Host: dc01.example.com:389 > >> DS Subtree: ou=Users,dc=example,dc=com > >> Windows Subtree: ou=ou1,OU=Accounts, DC=example,DC=com > >> Replicated subtree: dc=example,dc=com agreement2: >> DS Host: 389ds:389 > >> Windows Host: dc01.example.com:389 > >> DS Subtree: ou=Users,dc=example,dc=com > >> Windows Subtree: ou=ou2,OU=Accounts, DC=example,DC=com > >> Replicated subtree: dc=example,dc=com The windows AD has two OUs, and I want the two OUs are synced to the same ou(ou=users,dc=example,dc=com) in 389ds server. Maybe you would say I can create two same OUs in 389ds first and then create the sync agreement. But I don't want this because I want all accounts under the same ou in 389ds(no sub-ou). I have another question about this issue. After the two sync agreements created, I create a new user on AD side, after 5 minutes(default), nothing happens, the account hasn't been synced to 389ds correctly. I must click the "Initiate full Re-syncronization" to sync the account info, and then change account password on AD side manually so that the passsync can sync the password. >My concern is moving an account from ou1 to ou2 and how > that would work (or break). Because the digestion is same OU in 389ds, so move an account from ou1 to ou2 on AD side, nothing happens . Another issue is : OnewaySync I want all data flow is AD to 389ds. I have configured the OnewaySync followed this link https://directory.fedoraproject.org/docs/389ds/howto/howto-one-way-active-directory-sync.html for every sync agreement, I add one line oneWaySync: fromWindows The error message /var/log/dirsrv/slapd-INSTANCE/errors like this: [23/Aug/2019:08:14:58.033989856 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389): Replica has no update vector. It has never been initialized. [23/Aug/2019:08:15:01.071494645 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389): Replica has no update vector. It has never been initialized. I don't want the sync agreement to be bi-directional. So how to resolve this error message. Thanks in advance! Sincerely, -- DaV On Fri, Aug 23, 2019, at 07:38, William Brown wrote: > > > > On 21 Aug 2019, at 22:10, DaV <snowfrs@xxxxxxxxx> wrote: > > > > Hi guys, > > Just update for this issue. > > > > Finally, I create multi windows sync agreement for each OU to sync the user account. > > like this: > > > >> DS Host: 389ds:389 > >> Windows Host: dc01.example.com:389 > >> DS Subtree: ou=ou1,ou=Users,dc=example,dc=com > >> Windows Subtree: OU=Accounts, DC=example,DC=com > >> Replicated subtree: dc=example,dc=com > > > >> DS Host: 389ds:389 > >> Windows Host: dc01.example.com:389 > >> DS Subtree: ou=ou2,ou=Users,dc=example,dc=com > >> Windows Subtree: OU=Accounts, DC=example,DC=com > >> Replicated subtree: dc=example,dc=com > > So the user account sync is done. > > > > For password sync, now I can't sync user's password with an " Initiate full Re-syncronization". I must reset all users one-by-one on AD server to sync the password. This is not convenient. > > > > Do you have any advice? > > > > I think Mark is the person who knows the most about this. I agree your > solution isn't really optimal here so I totally get you wanting to > improve this. My concern is moving an account from ou1 to ou2 and how > that would work (or break). > > > > > > > > This is the log info: > >> [21/Aug/2019:08:56:57.876105371 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=chuxun" (tc-dc-2:389)". > >> [21/Aug/2019:08:56:58.546297794 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_process_total_add - agmt="cn=chuxun" (tc-dc-2:389) - Cannot replay add operation. > >> [21/Aug/2019:08:56:58.575112136 +0800] - ERR - NSMMReplicationPlugin - windows sync - bind_and_check_pwp - agmt="cn=chuxun" (tc-dc-2:389): Replication bind with SIMPLE auth resumed > >> [21/Aug/2019:08:56:58.577280706 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=chuxun" (tc-dc-2:389): Replica has no update vector. It has never been initialized. > >> [21/Aug/2019:08:56:58.579569199 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=chuxun" (tc-dc-2:389): Replica has no update vector. It has never been initialized. > >> [21/Aug/2019:08:56:59.581808252 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=wangxun" (tc-dc-2:389): Replica has no update vector. It has never been initialized. > > > > Sincerely, > > -- > > DaV > > > > > > > > > > On Tue, Aug 20, 2019, at 09:28, DaV wrote: > >> Hi all, > >> I'm using a new 389 directory server on CentOS 7.6 with 389-ds-base.x86_64 (1.3.8.4-15.el7), and I want to sync user and password from Windows 2016 to 389ds one way. > >> The Synchronization Agreement like this: > >> DS Host: 389ds:389 > >> Windows Host: dc01.example.com:389 > >> DS Subtree: ou=Users,dc=example,dc=com > >> Windows Subtree: OU=Accounts, DC=example,DC=com > >> Replicated subtree: dc=example,dc=com > >> > >> Here is my question: > >> The sync agreement can only sync top-level OU=Accounts, DC=example, DC=com from Win2016 to 389ds server. > >> In fact, I have > >> ou=ou1,ou=accounts,dc=example,dc=com > >> ou=ou2,ou=accounts,dc=example,dc=com > >> on Win2016 server. > >> I want the sync agreement can sync not only the top-level but also the child ou. > >> > >> This is the error log for your reference. Thanks! > >>> [20/Aug/2019:07:58:40.307031692 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)". > >>> [20/Aug/2019:07:58:40.309113230 +0800] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests > >>> [20/Aug/2019:08:34:21.730939271 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized. > >>> [20/Aug/2019:08:34:21.733526550 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized. > >>> [20/Aug/2019:08:34:24.735819391 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized. > >>> [20/Aug/2019:08:34:27.738228528 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized. > >>> [20/Aug/2019:08:34:30.873896680 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)". > >>> [20/Aug/2019:08:34:33.170822223 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Finished total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 entries. > >>> [20/Aug/2019:08:34:33.186359842 +0800] - ERR - NSMMReplicationPlugin - windows sync - bind_and_check_pwp - agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth resumed > >>> [20/Aug/2019:08:47:30.032935119 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)". > >>> [20/Aug/2019:08:47:31.035850854 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Finished total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 entries. > >>> [20/Aug/2019:08:47:31.051614890 +0800] - ERR - NSMMReplicationPlugin - windows sync - bind_and_check_pwp - agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth resumed > >>> [20/Aug/2019:08:50:59.533268105 +0800] - WARN - NSMMReplicationPlugin - prot_stop - Incremental protocol for replica "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly. > >>> [20/Aug/2019:09:01:00.155477769 +0800] - WARN - NSMMReplicationPlugin - prot_stop - Total protocol for replica "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly. > >> > >> > >> Sincerely, > >> -- > >> DaV > >> > >> > >> > > > > _______________________________________________ > > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
