Hi William,
On 4/8/22 02:27, William Brown wrote:
> I think the best step for you to help diagnose this is to turn up replication logging.
>
> dsconf localhost config replace nsslapd-errorlog-level=24576
thank you, that helped. The problem was that we were missing a
subtree-pair definition.
Yours: Laszlo
>
> That will give you more information as a starting place.
>
>> On 5 Apr 2022, at 19:44, Tornóci László <torlasz@xenia.sote.hu> wrote:
>>
>> Hello,
>>
>>
>> we have tried to set up a synchronization from AD to our directory server, but we have a problem. We have RHEL 8.5, 389-ds-base-1.4.3.23-14
>>
>> We have followed the docs here:
>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/windows_sync
>>
>>
>> We have created this agreement:
>>
>> dsconf dirsrv_inst repl-winsync-agmt create --suffix="dc=example,dc=hu" --host="our.ad.server.hu" --port=636 --conn-protocol="LDAPS" --bind-dn="CN=_sync_user,DC=exmaple,DC=local" --bind-passwd="passwd" --win-subtree="OU=Felhasználók,DC=example,DC=local" --ds-subtree="ou=People1,dc=example,dc=hu" --win-domain=example --one-way-sync=fromWindows --init users-sync
>>
>> (some data have been masked). The agreement gets accepted, init status is okay. However, no users get created on the directory server, even after setting the --sync-users option to "on" in the replication agreement as suggested by the docs.
>>
>>
>> In AD, there are test users, for example this:
>>
>>
>> dn:: Q049VGVzenQgVXNlciAxLE9VPUZlbGhhc3puw6Fsw7NrLERDPWV4YW1wbGUsREM9bG9jYWw=
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn:: VGVzenQgVXNlciAx
>> sn:: UG9ydMOhbA==
>> title:: VGVzenRlbMWR
>> telephoneNumber: +3612345679
>> givenName: User
>> distinguishedName:: Q049VGVzenQgVXNlciAxLE9VPUZlbGhhc3puw6Fsw7NrLERDPWV4YW1wbGUsREM9bG9jYWw=
>> instanceType: 4
>> whenCreated: 20220324073810.0Z
>> whenChanged: 20220405072514.0Z
>> displayName:: VGVzenQgVXNlciAx
>> uSNCreated: 654581
>> uSNChanged: 731702
>> department: Development
>> name:: VGVzenQgVXNlciAx
>> objectGUID:: ZYcqiTPzVkCifL7rP8qGlg==
>> userAccountControl: 512
>> codePage: 0
>> countryCode: 0
>> pwdLastSet: 132935477968356837
>> primaryGroupID: 513
>> objectSid:: AQUAAAAAAAUVAAAAGOXkLRHqLIUsJtYXDBAAAA==
>> accountExpires: 9223372036854775807
>> sAMAccountName: portal.user2
>> sAMAccountType: 805306368
>> userPrincipalName: portal.user2@example.local
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=local
>> dSCorePropagationData: 20220405072514.0Z
>> dSCorePropagationData: 20220401092451.0Z
>> dSCorePropagationData: 20220401092431.0Z
>> dSCorePropagationData: 20220401092408.0Z
>> dSCorePropagationData: 16010101000417.0Z
>> lastLogonTimestamp: 132925820675992048
>> mail: portaluser2@example.hu
>> homePhone: +3687654321
>>
>> In the error log we get these lines about the replication of this particular test user:
>>
>>
>> Received entry from dirsync: CN=Teszt User 1,OU=Felhaszn<C3><A1>l<C3><B3>k,OU=Example>
>> (test2:637) - Looking for local entry matching AD entry [CN=Teszt User>
>> (test2:637) - Looking for local entry by guid [65872a8933f35640a27cbeeb3fca8696]
>> (test2:637) - Problem looking for guid: -1
>> (test2:637) - Looking for local entry by uid [portal.user2]
>> (test2:637) - problem looking for username: -1
>>
>> What could be the problem?
>>
>> Yours: Laszlo
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
> --
> Sincerely,
>
> William Brown
>
> Senior Software Engineer,
> Identity and Access Management
> SUSE Labs, Australia
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
No comments:
Post a Comment