No problem mate, happy to help :) > On 8 Apr 2022, at 19:35, Tornóci László <torlasz@xxxxxxxxxxxxx> wrote: > > Hi William, > > On 4/8/22 02:27, William Brown wrote: >> I think the best step for you to help diagnose this is to turn up replication logging. >> dsconf localhost config replace nsslapd-errorlog-level=24576 > > thank you, that helped. The problem was that we were missing a subtree-pair definition. > > Yours: Laszlo > >> That will give you more information as a starting place. >>> On 5 Apr 2022, at 19:44, Tornóci László <torlasz@xxxxxxxxxxxxx> wrote: >>> >>> Hello, >>> >>> >>> we have tried to set up a synchronization from AD to our directory server, but we have a problem. We have RHEL 8.5, 389-ds-base-1.4.3.23-14 >>> >>> We have followed the docs here: >>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/windows_sync >>> >>> >>> We have created this agreement: >>> >>> dsconf dirsrv_inst repl-winsync-agmt create --suffix="dc=example,dc=hu" --host="our.ad.server.hu" --port=636 --conn-protocol="LDAPS" --bind-dn="CN=_sync_user,DC=exmaple,DC=local" --bind-passwd="passwd" --win-subtree="OU=Felhasználók,DC=example,DC=local" --ds-subtree="ou=People1,dc=example,dc=hu" --win-domain=example --one-way-sync=fromWindows --init users-sync >>> >>> (some data have been masked). The agreement gets accepted, init status is okay. However, no users get created on the directory server, even after setting the --sync-users option to "on" in the replication agreement as suggested by the docs. >>> >>> >>> In AD, there are test users, for example this: >>> >>> >>> dn:: Q049VGVzenQgVXNlciAxLE9VPUZlbGhhc3puw6Fsw7NrLERDPWV4YW1wbGUsREM9bG9jYWw= >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: user >>> cn:: VGVzenQgVXNlciAx >>> sn:: UG9ydMOhbA== >>> title:: VGVzenRlbMWR >>> telephoneNumber: +3612345679 >>> givenName: User >>> distinguishedName:: Q049VGVzenQgVXNlciAxLE9VPUZlbGhhc3puw6Fsw7NrLERDPWV4YW1wbGUsREM9bG9jYWw= >>> instanceType: 4 >>> whenCreated: 20220324073810.0Z >>> whenChanged: 20220405072514.0Z >>> displayName:: VGVzenQgVXNlciAx >>> uSNCreated: 654581 >>> uSNChanged: 731702 >>> department: Development >>> name:: VGVzenQgVXNlciAx >>> objectGUID:: ZYcqiTPzVkCifL7rP8qGlg== >>> userAccountControl: 512 >>> codePage: 0 >>> countryCode: 0 >>> pwdLastSet: 132935477968356837 >>> primaryGroupID: 513 >>> objectSid:: AQUAAAAAAAUVAAAAGOXkLRHqLIUsJtYXDBAAAA== >>> accountExpires: 9223372036854775807 >>> sAMAccountName: portal.user2 >>> sAMAccountType: 805306368 >>> userPrincipalName: portal.user2@example.local >>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=local >>> dSCorePropagationData: 20220405072514.0Z >>> dSCorePropagationData: 20220401092451.0Z >>> dSCorePropagationData: 20220401092431.0Z >>> dSCorePropagationData: 20220401092408.0Z >>> dSCorePropagationData: 16010101000417.0Z >>> lastLogonTimestamp: 132925820675992048 >>> mail: portaluser2@xxxxxxxxxx >>> homePhone: +3687654321 >>> >>> In the error log we get these lines about the replication of this particular test user: >>> >>> >>> Received entry from dirsync: CN=Teszt User 1,OU=Felhaszn<C3><A1>l<C3><B3>k,OU=Example> >>> (test2:637) - Looking for local entry matching AD entry [CN=Teszt User> >>> (test2:637) - Looking for local entry by guid [65872a8933f35640a27cbeeb3fca8696] >>> (test2:637) - Problem looking for guid: -1 >>> (test2:637) - Looking for local entry by uid [portal.user2] >>> (test2:637) - problem looking for username: -1 >>> >>> What could be the problem? >>> >>> Yours: Laszlo >>> _______________________________________________ >>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure >> -- >> Sincerely, >> William Brown >> Senior Software Engineer, >> Identity and Access Management >> SUSE Labs, Australia >> _______________________________________________ >> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx >> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
