Hartmut Wöhrle wrote:
Hmm, I also did a ldapsearch and got the "Invalid Credential" (log at the end)
So this means it uses the wrong password. Because I tried a different one than
the actual. But when starting the ldapsearch, does it login to the ApacheDS
without using PDC data? Or is there a connection? And what should come
out.... - the whole PDC tree I think, but I'm not sure.
I'm a bit confused now. Which password, or which actual? You can
ldapsearch using the uid=admin,ou=system account and correct password.
NTDS side (PDC machine). NTDS uses ApacheDS. ApacheDS stores
its password in its database. However originally it always initialized that
password to a known value. We were concerned about the security
implications of that and made a change to the ApacheDS code such that
the password is read from the config file rather than use the default value
(which would be the same for all installations). In order to force users
to set the password, I believe we refuse to function until it is set in the
config file. At least that's how I remember it. I'd need to look at the
code to be sure.
But it uses which user?
uid=admin,ou=system
as default ApacheDS root entry?
And what happens, when this User doesn't exist? And the password is set to a
value I can not remember? I think the only chance to solve this problem is to
reinstall (deinstall deletes the DS - right?) the whole winsync and have -
now - the user admin and use its password.
Anyway, the ldapmodify operation will be to the userpassword attribute
on the ApacheDS root entry. I'll look that up and post the command...
Your problem may be that you haven't set the password in the first place.
It should be possible to use ldapsearch to check that your ntds is up
and running and answering LDAP searches correctly. Once that's proven,
FDS should be able to sync with it ok using the same bind credentials
and password.
ldapsearch works, but (as you can see below) my bind password is wrong (or I
can't remember.... :) )
I would suggest opening up your c:\program files\fedora directory
synchronization\conf\usersync.conf in your favorite editor, and see what
password is in it. Try binding as that user. While looking inside that
file look for the 'server.db.partition.suffix.usersync field.
Then, with this password and base, try another search.
ldapsearch -v -h 192.168.1.218 -D "uid=admin,ou=system" -w pw -b
"dc=home,dc=org" "(objectclass=*)
I'm just guessing the base, but I assume it's something very similar.
You should see something similar to this:
# Guest, users, example.com
dn: sAMAccountName=Guest,cn=users,dc=example,dc=com
memberOf: sAMAccountName=Domain Guests,cn=users,dc=example,dc=com
lastLogon: 0
objectGUID: 0105000000000005150000003D725165EB1AB15BC9504D49F5010000
countryCode: 0
Once you can access your PDC from LDAP, there's a lot better chance that
your Fedora Directory Server will be able to for replication.
Btw... It would be nice to find a schema (written or drawn) which tells me (or
everyone) how winsync and passwordsync works. The Pictures in the manuals
tell me the way which way the servers exchange informations, but within the
PDC (or AD) I don't know anything - it is a black box.
And .... I didn't find the sources to check by myself - is it closed source?
It's not closed source.
http://directory.fedora.redhat.com/wiki/Building#Pulling_the_Directory_Server_Source
See U
Hartmut
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
