Re: AD to 389ds sync problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> On 11 Apr 2022, at 17:41, Tornóci László <torlasz@xxxxxxxxxxxxx> wrote:
> 
> Hi William,
> 
> On 4/11/22 03:37, William Brown wrote:
>> No problem mate, happy to help :)
> 
> Thanks a lot. I happen to have another question. The LDAP structure that we need to sync from AD to DS is "bushy", with multilevel, hierarchical OUs. However, according to the the docs, the AD-DS sync creates and syncs only users or groups and won't create the OUs. I wonder:
> 1. Why has been designed the sync program this way?
> 2. What is the suggested way to solve this problem?

I'm not sure what the historical choices were around not implementing structure preservation. So long as you create the OUs in DS, they'll be populated from AD. There is now a setting though to "flatten" the structure to a single level in DS instead. But the OU creation should be a once-off I'd hope. 

> 
> Should I simply write a program that syncs the OUs? But then the original AD-DS sync could do that as well...

Yeah, it wouldn't be that hard. In the future though AD-DS sync will be getting a major cut back though, it will be from AD to DS only, and much more limited. so keepy that in mind. 



> 
> Yours: Laszlo
> 
>>> On 8 Apr 2022, at 19:35, Tornóci László <torlasz@xxxxxxxxxxxxx> wrote:
>>> 
>>> Hi William,
>>> 
>>> On 4/8/22 02:27, William Brown wrote:
>>>> I think the best step for you to help diagnose this is to turn up replication logging.
>>>>     dsconf localhost config replace nsslapd-errorlog-level=24576
>>> 
>>> thank you, that helped. The problem was that we were missing a subtree-pair definition.
>>> 
>>> Yours: Laszlo
>>> 
>>>> That will give you more information as a starting place.
>>>>> On 5 Apr 2022, at 19:44, Tornóci László <torlasz@xxxxxxxxxxxxx> wrote:
>>>>> 
>>>>> Hello,
>>>>> 
>>>>> 
>>>>> we have tried to set up a synchronization from AD to our directory server, but we have a problem. We have RHEL 8.5, 389-ds-base-1.4.3.23-14
>>>>> 
>>>>> We have followed the docs here:
>>>>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/windows_sync
>>>>> 
>>>>> 
>>>>> We have created this agreement:
>>>>> 
>>>>> dsconf dirsrv_inst repl-winsync-agmt create --suffix="dc=example,dc=hu" --host="our.ad.server.hu" --port=636 --conn-protocol="LDAPS" --bind-dn="CN=_sync_user,DC=exmaple,DC=local" --bind-passwd="passwd" --win-subtree="OU=Felhasználók,DC=example,DC=local" --ds-subtree="ou=People1,dc=example,dc=hu" --win-domain=example --one-way-sync=fromWindows --init users-sync
>>>>> 
>>>>> (some data have been masked). The agreement gets accepted, init status is okay. However, no users get created on the directory server, even after setting the --sync-users option to "on" in the replication agreement as suggested by the docs.
>>>>> 
>>>>> 
>>>>> In AD, there are test users, for example this:
>>>>> 
>>>>> 
>>>>> dn:: Q049VGVzenQgVXNlciAxLE9VPUZlbGhhc3puw6Fsw7NrLERDPWV4YW1wbGUsREM9bG9jYWw=
>>>>> objectClass: top
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: user
>>>>> cn:: VGVzenQgVXNlciAx
>>>>> sn:: UG9ydMOhbA==
>>>>> title:: VGVzenRlbMWR
>>>>> telephoneNumber: +3612345679
>>>>> givenName: User
>>>>> distinguishedName:: Q049VGVzenQgVXNlciAxLE9VPUZlbGhhc3puw6Fsw7NrLERDPWV4YW1wbGUsREM9bG9jYWw=
>>>>> instanceType: 4
>>>>> whenCreated: 20220324073810.0Z
>>>>> whenChanged: 20220405072514.0Z
>>>>> displayName:: VGVzenQgVXNlciAx
>>>>> uSNCreated: 654581
>>>>> uSNChanged: 731702
>>>>> department: Development
>>>>> name:: VGVzenQgVXNlciAx
>>>>> objectGUID:: ZYcqiTPzVkCifL7rP8qGlg==
>>>>> userAccountControl: 512
>>>>> codePage: 0
>>>>> countryCode: 0
>>>>> pwdLastSet: 132935477968356837
>>>>> primaryGroupID: 513
>>>>> objectSid:: AQUAAAAAAAUVAAAAGOXkLRHqLIUsJtYXDBAAAA==
>>>>> accountExpires: 9223372036854775807
>>>>> sAMAccountName: portal.user2
>>>>> sAMAccountType: 805306368
>>>>> userPrincipalName: portal.user2@example.local
>>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=local
>>>>> dSCorePropagationData: 20220405072514.0Z
>>>>> dSCorePropagationData: 20220401092451.0Z
>>>>> dSCorePropagationData: 20220401092431.0Z
>>>>> dSCorePropagationData: 20220401092408.0Z
>>>>> dSCorePropagationData: 16010101000417.0Z
>>>>> lastLogonTimestamp: 132925820675992048
>>>>> mail: portaluser2@xxxxxxxxxx
>>>>> homePhone: +3687654321
>>>>> 
>>>>> In the error log we get these lines about the replication of this particular test user:
>>>>> 
>>>>> 
>>>>> Received entry from dirsync: CN=Teszt User 1,OU=Felhaszn<C3><A1>l<C3><B3>k,OU=Example>
>>>>> (test2:637) - Looking for local entry matching AD entry [CN=Teszt User>
>>>>> (test2:637) - Looking for local entry by guid [65872a8933f35640a27cbeeb3fca8696]
>>>>> (test2:637) - Problem looking for guid: -1
>>>>> (test2:637) - Looking for local entry by uid [portal.user2]
>>>>> (test2:637) - problem looking for username: -1
>>>>> 
>>>>> What could be the problem?
>>>>> 
>>>>> Yours: Laszlo
>>>>> _______________________________________________
>>>>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>>>> --
>>>> Sincerely,
>>>> William Brown
>>>> Senior Software Engineer,
>>>> Identity and Access Management
>>>> SUSE Labs, Australia
>>>> _______________________________________________
>>>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>>> _______________________________________________
>>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>> --
>> Sincerely,
>> William Brown
>> Senior Software Engineer,
>> Identity and Access Management
>> SUSE Labs, Australia
>> _______________________________________________
>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux