Re: Windows Sync Agreement issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In fact, if I don't set nsds5replicaupdateschedule attribute, the sync from 389ds to AD is always trying.
So I have to set this attribute.

For sync from AD to 389ds, default it's 5 minutes according to 389ds/RHDS documents, but it happens nothing on my instance, no log.  I have to click the "Initiate full Re-synchronization" on the console to sync from AD to 389ds.

Sincerely,
--
DaV

On Mon, Aug 26, 2019, at 06:58, William Brown wrote:


> > On 23 Aug 2019, at 19:38, DaV <snowfrs@xxxxxxxxx> wrote:
> > 
> > Hi all,
> > For OneWaySync, AD to 389ds.
> > 
> > I have read this guide 
> > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/using_windows_sync-modifying_the_sync_agreement
> > 
> >> Synchronization works two ways. The Directory Server sends its updates to Active Directory on a configurable schedule, similar to replication, using the nsds5replicaupdateschedule attribute. The Directory Server polls the Active Directory to check for changes; the frequency that it checks the Active Directory server is set in the winSyncInterval attribute.
> >> By default, the Directory Server update schedule is to always be in sync. The Active Directory interval is to poll the Active Directory every five minutes.
> >> To change the schedule the Directory Server uses to send its updates to the Active Directory, edit the nsds5replicaupdateschedule attribute. The schedule is set with start (SSSS) and end (EEEE) times in the form HHMM, using a 24-hour clock. The days to schedule sync updates are use ranging from 0 (Sunday) to 6 (Saturday).
> > 
> > I want to know how to disable the nsds5replicaupdateschedule attribute. Because I just want sync from AD to 389ds.
> > Thanks in advance!

> If you don't have the replica update schedule set, the replication will 
> occur "when needed" aka when changes occur. Does that help? 

> > 
> > Sincerely,
> > --
> > DaV
> > 
> > On Fri, Aug 23, 2019, at 08:18, DaV wrote:
> > > Hi William,
> > > Thanks for your reply.
> > > 
> > > Sorry for incorrect message yesterday.
> > > My windows sync agreement exactly is:
> > > 
> > > agreement1:
> > >  >> DS Host: 389ds:389
> > > > >> Windows Host: dc01.example.com:389
> > > > >> DS Subtree: ou=Users,dc=example,dc=com
> > > > >> Windows Subtree: ou=ou1,OU=Accounts, DC=example,DC=com
> > > > >> Replicated subtree: dc=example,dc=com
> > > 
> > > agreement2:
> > >  >> DS Host: 389ds:389
> > > > >> Windows Host: dc01.example.com:389
> > > > >> DS Subtree: ou=Users,dc=example,dc=com
> > > > >> Windows Subtree: ou=ou2,OU=Accounts, DC=example,DC=com
> > > > >> Replicated subtree: dc=example,dc=com
> > > 
> > > 
> > > The windows AD has two OUs, and I want the two OUs are synced to the 
> > > same ou(ou=users,dc=example,dc=com) in 389ds server.  
> > > Maybe you would say I can create two same OUs in 389ds first and then 
> > > create the sync agreement. But I don't want this because I want all 
> > > accounts under the same ou in 389ds(no sub-ou).
> > > 
> > > 
> > > I have another question about this issue. 
> > > After the two sync agreements created, I create a new user on AD side, 
> > > after 5 minutes(default), nothing happens, the account hasn't been 
> > > synced to 389ds correctly. I must click the "Initiate full 
> > > Re-syncronization" to sync the account info, and then change account 
> > > password on AD side manually so  that the passsync can sync the 
> > > password.
> > > 
> > > >My concern is moving an account from ou1 to ou2 and how 
> > > > that would work (or break).
> > > Because the digestion is same OU in 389ds, so move an account from ou1 
> > > to ou2 on AD side, nothing happens .
> > > 
> > > 
> > > Another issue is :
> > > OnewaySync
> > > I want all data flow is AD to 389ds.
> > > I have configured the OnewaySync followed this link
> > > https://directory.fedoraproject.org/docs/389ds/howto/howto-one-way-active-directory-sync.html
> > > for every sync agreement, I add one line 
> > > oneWaySync: fromWindows
> > > 
> > > 
> > > The error message /var/log/dirsrv/slapd-INSTANCE/errors like this:
> > > [23/Aug/2019:08:14:58.033989856 +0800] - WARN - NSMMReplicationPlugin - 
> > > windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389): 
> > > Replica has no update vector. It has never been initialized.
> > > [23/Aug/2019:08:15:01.071494645 +0800] - WARN - NSMMReplicationPlugin - 
> > > windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389): 
> > > Replica has no update vector. It has never been initialized.
> > > 
> > > I don't want the sync agreement to be bi-directional. So how to resolve 
> > > this error message. 
> > > Thanks in advance!
> > > 
> > > 
> > > Sincerely,
> > > --
> > > DaV
> > > 
> > > On Fri, Aug 23, 2019, at 07:38, William Brown wrote:
> > > > 
> > > > 
> > > > > On 21 Aug 2019, at 22:10, DaV <snowfrs@xxxxxxxxx> wrote:
> > > > > 
> > > > > Hi guys,
> > > > > Just update for this issue.
> > > > > 
> > > > > Finally, I create multi windows sync agreement for each OU to sync the user account.
> > > > > like this:
> > > > > 
> > > > >> DS Host: 389ds:389
> > > > >> Windows Host: dc01.example.com:389
> > > > >> DS Subtree: ou=ou1,ou=Users,dc=example,dc=com
> > > > >> Windows Subtree: OU=Accounts, DC=example,DC=com
> > > > >> Replicated subtree: dc=example,dc=com
> > > > > 
> > > > >> DS Host: 389ds:389
> > > > >> Windows Host: dc01.example.com:389
> > > > >> DS Subtree: ou=ou2,ou=Users,dc=example,dc=com
> > > > >> Windows Subtree: OU=Accounts, DC=example,DC=com
> > > > >> Replicated subtree: dc=example,dc=com
> > > > > So the user account sync is done.
> > > > > 
> > > > > For password sync, now I can't sync user's password with an " Initiate full Re-syncronization".  I must reset all users one-by-one on AD server to sync the password.  This is not convenient.
> > > > > 
> > > > > Do you have any advice? 
> > > > > 
> > > > 
> > > > I think Mark is the person who knows the most about this. I agree your 
> > > > solution isn't really optimal here so I totally get you wanting to 
> > > > improve this. My concern is moving an account from ou1 to ou2 and how 
> > > > that would work (or break).
> > > > 
> > > > 
> > > > 
> > > > 
> > > > > 
> > > > > This is the log info:
> > > > >> [21/Aug/2019:08:56:57.876105371 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=chuxun" (tc-dc-2:389)".
> > > > >> [21/Aug/2019:08:56:58.546297794 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_process_total_add - agmt="cn=chuxun" (tc-dc-2:389) - Cannot replay add operation.
> > > > >> [21/Aug/2019:08:56:58.575112136 +0800] - ERR - NSMMReplicationPlugin - windows sync - bind_and_check_pwp - agmt="cn=chuxun" (tc-dc-2:389): Replication bind with SIMPLE auth resumed
> > > > >> [21/Aug/2019:08:56:58.577280706 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=chuxun" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> > > > >> [21/Aug/2019:08:56:58.579569199 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=chuxun" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> > > > >> [21/Aug/2019:08:56:59.581808252 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=wangxun" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> > > > > 
> > > > > Sincerely,
> > > > > --
> > > > > DaV
> > > > >  
> > > > > 
> > > > > 
> > > > > 
> > > > > On Tue, Aug 20, 2019, at 09:28, DaV wrote:
> > > > >> Hi all,
> > > > >> I'm using a new 389 directory server on CentOS 7.6 with 389-ds-base.x86_64 (1.3.8.4-15.el7), and I want to sync user and password from Windows 2016 to 389ds one way.
> > > > >> The Synchronization Agreement like this:
> > > > >> DS Host: 389ds:389
> > > > >> Windows Host: dc01.example.com:389
> > > > >> DS Subtree: ou=Users,dc=example,dc=com
> > > > >> Windows Subtree: OU=Accounts, DC=example,DC=com
> > > > >> Replicated subtree: dc=example,dc=com
> > > > >> 
> > > > >> Here is my question:
> > > > >> The sync agreement can only sync top-level OU=Accounts, DC=example, DC=com from Win2016 to 389ds server.
> > > > >> In fact, I have 
> > > > >> ou=ou1,ou=accounts,dc=example,dc=com
> > > > >> ou=ou2,ou=accounts,dc=example,dc=com
> > > > >> on Win2016 server.
> > > > >> I want the sync agreement can sync not only the top-level but also the child ou.
> > > > >> 
> > > > >> This is the error log for your reference. Thanks!
> > > > >>> [20/Aug/2019:07:58:40.307031692 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)".
> > > > >>> [20/Aug/2019:07:58:40.309113230 +0800] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests
> > > > >>> [20/Aug/2019:08:34:21.730939271 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> > > > >>> [20/Aug/2019:08:34:21.733526550 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> > > > >>> [20/Aug/2019:08:34:24.735819391 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> > > > >>> [20/Aug/2019:08:34:27.738228528 +0800] - WARN - NSMMReplicationPlugin - windows sync - windows_inc_run - agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has never been initialized.
> > > > >>> [20/Aug/2019:08:34:30.873896680 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)".
> > > > >>> [20/Aug/2019:08:34:33.170822223 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Finished total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 entries.
> > > > >>> [20/Aug/2019:08:34:33.186359842 +0800] - ERR - NSMMReplicationPlugin - windows sync - bind_and_check_pwp - agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth resumed
> > > > >>> [20/Aug/2019:08:47:30.032935119 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning total update of replica "agmt="cn=389ds" (tc-dc-2:389)".
> > > > >>> [20/Aug/2019:08:47:31.035850854 +0800] - ERR - NSMMReplicationPlugin - windows sync - windows_tot_run - Finished total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 entries.
> > > > >>> [20/Aug/2019:08:47:31.051614890 +0800] - ERR - NSMMReplicationPlugin - windows sync - bind_and_check_pwp - agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth resumed
> > > > >>> [20/Aug/2019:08:50:59.533268105 +0800] - WARN - NSMMReplicationPlugin - prot_stop - Incremental protocol for replica "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly.
> > > > >>> [20/Aug/2019:09:01:00.155477769 +0800] - WARN - NSMMReplicationPlugin - prot_stop - Total protocol for replica "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly.
> > > > >> 
> > > > >> 
> > > > >> Sincerely,
> > > > >> --
> > > > >> DaV
> > > > >>  
> > > > >> 
> > > > >> 
> > > > > 
> > > > > _______________________________________________
> > > > > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > > > > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > > > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > > > 
> > > > —
> > > > Sincerely,
> > > > 
> > > > William Brown
> > > > 
> > > > Senior Software Engineer, 389 Directory Server
> > > > SUSE Labs
> > > > _______________________________________________
> > > > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > > > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > > > Fedora Code of Conduct: 
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives: 
> > > > https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > > >
> > > _______________________________________________
> > > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > > Fedora Code of Conduct: 
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives: 
> > > https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > >

> —
> Sincerely,

> William Brown

> Senior Software Engineer, 389 Directory Server
> SUSE Labs

>
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux