Hello again. I''m still trying to get Windows Sync working between Directory Server 7.1sp3 and Active Directory on a Windows 2003 server. I thought I would narrow down the problem by trying to add a user in the DS and see if it would replicate to AD. It does not, and the error message is: [02/Jan/2007:09:58:31 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad" (adserver:636): windows_replay_update: Looking at add operation local dn="uid=PApostle,ou=People,o=txwes.edu" (not ours,not user,not group) The replication agreement specifies that ou=People,o=txwes.edu in the DS should be synchronized with ou=Domain Users,dc=ad,dc=txwesleyan,dc=edu in AD. Both ous exist as specified. Can anyone please suggest what I might try to get this working? Thanks. - Glenn.
Glenn wrote:>Hello again. I''m still trying to get Windows Sync working between Directory >Server 7.1sp3 and Active Directory on a Windows 2003 server. I thought I >would narrow down the problem by trying to add a user in the DS and see if it >would replicate to AD. It does not, and the error message is: > >[02/Jan/2007:09:58:31 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad" >(adserver:636): windows_replay_update: Looking at add operation local >dn="uid=PApostle,ou=People,o=txwes.edu" (not ours,not user,not group) > >The replication agreement specifies that ou=People,o=txwes.edu in the DS >should be synchronized with ou=Domain Users,dc=ad,dc=txwesleyan,dc=edu in >AD. Both ous exist as specified. > >Can anyone please suggest what I might try to get this working? Thanks. - >Glenn. > >Based on the information you''ve provided, the most likely cause is that the entry lacks the appropriate object class and attributes to be sync''ed.
O.K., so I''m guessing there are certain required object classes and
attributes, and some that are not allowed. I tried to populate the Active
Directory using Windows Sync, but it didn''t work. Then I took the ldif
file
I used to populate the DS and tried to import it into AD, but that
didn''t
work either. I found that if I changed some object classes and attributes,
the ldif would import into AD, but not into DS. And they would not sync.
For instance, "objectclass: user" does not import into DS, but is
required
for AD. And "objectclass: inetOrgPerson" imports into DS, but not
into AD.
So if I have some object classes and attributes required for AD that are
not allowed in DS, and vice-versa, how can I make Windows Sync work?
I''m
sure I''m missing something here. I''m including sample ldif
entries from each
import below. Thanks. -Glenn.
AD-compatible entry:
dn: cn=Peter Apostle,ou=Domain Users,dc=ad,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
sn: Apostle
cn: Peter Apostle
SAMAccountName: PApostle
userPrincipalName: papostle@ad.example.com
mail: papostle@ad.example.com
facsimiletelephonenumber: 817-531-4806
title: Electronic Reference Librarian
givenname: Peter
businesscategory: EJW Library
roomnumber: EJW Library
employeenumber: 1234567
departmentnumber: Provost
telephonenumber: 817-555-4802
userpassword: {SHA}8/P0XfVT5t9GpNL8MNPH+jdPGA0description: Reference Librarian
scriptPath: twu_script.bat
uid: abaker
DS-compatible entry:
dn: cn=Peter Apostle,ou=People,o=example.com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
sn: Apostle
cn: Peter Apostle
mail: papostle@ad.example.com
facsimiletelephonenumber: 817-555-4806
title: Electronic Reference Librarian
givenname: Peter
businesscategory: EJW Library
roomnumber: EJW Library
employeenumber: 1234567
departmentnumber: Provost
telephonenumber: 817-555-4802
userpassword: {SHA}8/P0XfVT5t9GpNL8MNPH+jdPGA0description: Reference Librarian
uid: papostle
---------- Original Message -----------
From: David Boreham <david_list@boreham.org>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users@redhat.com>
Sent: Tue, 02 Jan 2007 10:01:33 -0700
Subject: Re: [Fedora-directory-users] Windows Sync Errors
> Glenn wrote:
>
> >Hello again. I''m still trying to get Windows Sync working
between
Directory > >Server 7.1sp3 and Active Directory on a Windows 2003 server. I thought
I
> >would narrow down the problem by trying to add a user in the DS and see
if
it > >would replicate to AD. It does not, and the error message is:
> >
> >[02/Jan/2007:09:58:31 -0600] NSMMReplicationPlugin -
agmt="cn=ldap-ad"
> >(adserver:636): windows_replay_update: Looking at add operation local
> >dn="uid=PApostle,ou=People,o=txwes.edu" (not ours,not
user,not group)
> >
> >The replication agreement specifies that ou=People,o=txwes.edu in the
DS
> >should be synchronized with ou=Domain Users,dc=ad,dc=txwesleyan,dc=edu
in
> >AD. Both ous exist as specified.
> >
> >Can anyone please suggest what I might try to get this working?
Thanks. -> >Glenn.
> >
> >
> Based on the information you''ve provided, the most likely cause is
> that the entry lacks the appropriate object class and attributes to
> be sync''ed.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
------- End of Original Message -------
Anybody? Thanks. -G. ---------- Original Message ----------- From: "Glenn" <glenn@mail.txwes.edu> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Tue, 2 Jan 2007 15:38:50 -0600 Subject: Re: [Fedora-directory-users] Windows Sync Errors> O.K., so I''m guessing there are certain required object classes and > attributes, and some that are not allowed. I tried to populate the > Active Directory using Windows Sync, but it didn''t work. Then I > took the ldif file I used to populate the DS and tried to import it > into AD, but that didn''t work either. I found that if I changed > some object classes and attributes, the ldif would import into AD, > but not into DS. And they would not sync. > > For instance, "objectclass: user" does not import into DS, but is > required for AD. And "objectclass: inetOrgPerson" imports into DS, > but not into AD. > > So if I have some object classes and attributes required for AD that > are not allowed in DS, and vice-versa, how can I make Windows Sync > work? I''m sure I''m missing something here. I''m including sample > ldif entries from each import below. Thanks. -Glenn. > > AD-compatible entry: > > dn: cn=Peter Apostle,ou=Domain Users,dc=ad,dc=example,dc=com > objectclass: top > objectclass: person > objectclass: organizationalPerson > objectclass: user > sn: Apostle > cn: Peter Apostle > SAMAccountName: PApostle > userPrincipalName: papostle@ad.example.com > mail: papostle@ad.example.com > facsimiletelephonenumber: 817-531-4806 > title: Electronic Reference Librarian > givenname: Peter > businesscategory: EJW Library > roomnumber: EJW Library > employeenumber: 1234567 > departmentnumber: Provost > telephonenumber: 817-555-4802 > userpassword: {SHA}8/P0XfVT5t9GpNL8MNPH+jdPGA0> description: Reference Librarian > scriptPath: twu_script.bat > uid: abaker > > DS-compatible entry: > > dn: cn=Peter Apostle,ou=People,o=example.com > objectclass: top > objectclass: person > objectclass: organizationalPerson > objectclass: inetOrgPerson > sn: Apostle > cn: Peter Apostle > mail: papostle@ad.example.com > facsimiletelephonenumber: 817-555-4806 > title: Electronic Reference Librarian > givenname: Peter > businesscategory: EJW Library > roomnumber: EJW Library > employeenumber: 1234567 > departmentnumber: Provost > telephonenumber: 817-555-4802 > userpassword: {SHA}8/P0XfVT5t9GpNL8MNPH+jdPGA0> description: Reference Librarian > uid: papostle > > ---------- Original Message ----------- > From: David Boreham <david_list@boreham.org> > To: "General discussion list for the Fedora Directory server > project." <fedora-directory-users@redhat.com> > Sent: Tue, 02 Jan 2007 10:01:33 -0700 Subject: Re: [Fedora-directory- > users] Windows Sync Errors > > > Glenn wrote: > > > > >Hello again. I''m still trying to get Windows Sync working between > Directory > > >Server 7.1sp3 and Active Directory on a Windows 2003 server. I thoughtI> > >would narrow down the problem by trying to add a user in the DS and seeif> it > > >would replicate to AD. It does not, and the error message is: > > > > > >[02/Jan/2007:09:58:31 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad" > > >(adserver:636): windows_replay_update: Looking at add operation local > > >dn="uid=PApostle,ou=People,o=txwes.edu" (not ours,not user,not group) > > > > > >The replication agreement specifies that ou=People,o=txwes.edu in the DS > > >should be synchronized with ou=Domain Users,dc=ad,dc=txwesleyan,dc=eduin> > >AD. Both ous exist as specified. > > > > > >Can anyone please suggest what I might try to get this working? > Thanks. - > > >Glenn. > > > > > > > > Based on the information you''ve provided, the most likely cause is > > that the entry lacks the appropriate object class and attributes to > > be sync''ed. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------- End of Original Message ------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users------- End of Original Message -------
On Fri, 05 Jan 2007, Glenn wrote:> > So if I have some object classes and attributes required for AD that > > are not allowed in DS, and vice-versa, how can I make Windows Sync > > work? I''m sure I''m missing something here. I''m including sample > > ldif entries from each import below. Thanks. -Glenn.It seems to me (but I''m no expert on Windows sync) that the easiest solution would be to update your DS schema with the required AD attributes and classes so that it will accept the ones from AD.
Patrick Morris wrote:>On Fri, 05 Jan 2007, Glenn wrote: > > > >>>So if I have some object classes and attributes required for AD that >>>are not allowed in DS, and vice-versa, how can I make Windows Sync >>>work? I''m sure I''m missing something here. I''m including sample >>>ldif entries from each import below. Thanks. -Glenn. >>> >>> > >It seems to me (but I''m no expert on Windows sync) that the easiest >solution would be to update your DS schema with the required AD >attributes and classes so that it will accept the ones from AD. > >No this isn''t necessary. Winsync takes care of the schema translation. All you need is to have entries that are ''syncable''. On the FDS side this means special objectclass and attribute values. On the AD side it only means having the entries in the container configured in the sync agreement.
> > All you need is to have entries that are ''syncable''. On the FDS side > this means > special objectclass and attribute values. On the AD side it only > means having the entries in the container configured in the sync agreement.If I have entries in DS that do not exist in AD, and I "Initiate Full Re- synchronization", then these entries should be created in AD, correct? And if so, they should be ''syncable''? But this does not happen in my case. Entries created in DS are rejected with the error messages, windows_replay_update: Looking at add operation local dn="uid=fprefect,ou=People,o=txwes.edu" (not ours,not user,not group) and windows_process_total_entry: Looking dn="uid=fprefect,ou=People,o=txwes.edu" (not ours) So I guess the question now is, what special object classes or attribute values do I need to add to a DS entry in order to make it replicate to AD? Here is what the DS entry looks like now as exported to ldif: dn: uid=fprefect,ou=People,o=txwes.edu telephoneNumber: 817-555-4000 mail: frprefect@ad.txwesleyan.edu uid: fprefect givenName: Ford objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Prefect cn: Ford Prefect creatorsname: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersname: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot createtimestamp: 20070108161609Z modifytimestamp: 20070108161609Z nsuniqueid: 7608d381-1dd211b2-802a98a3-2f8c0000 parentid: 1352 entryid: 1914 entrydn: uid=fprefect,ou=people,o=txwes.edu numsubordinates: 0 subschemasubentry: cn=schema hassubordinates: FALSE
Glenn wrote:>>All you need is to have entries that are ''syncable''. On the FDS side >>this means >>special objectclass and attribute values. On the AD side it only >>means having the entries in the container configured in the sync agreement. >> >> > >If I have entries in DS that do not exist in AD, and I "Initiate Full Re- >synchronization", then these entries should be created in AD, correct? >Incorrect. As I said, they need very particular schema to be sync''ed (entries from AD to FDS will be sync''ed even if they only have basic AD schema though). There is a bit of doc on this here : http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859623 The easiest route might be for you to create a test user using the java console (make it an ''nt user'') and then copy the object class and attributes from that.
O.K., I think I have it now. It seems that the DS entry must have an "ntUserDomainID" attribute before Windows Sync can write it to the AD. Also, the "ntusercreatenewaccount" attribute must have a value of true. These attributes and their values can be adjusted in the console directory editor under each user''s NT User page. Some attributes and their counterparts in Active Directory are mentioned in the Windows Sync manual, but the requirements for synchronization are not plainly enumerated. Such a list might make a worthwhile addition to a future edition of the manual. Thanks for your kind responses! -Glenn. ---------- Original Message ----------- From: David Boreham <david_list@boreham.org> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Mon, 08 Jan 2007 10:46:26 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Errors> Glenn wrote: > > >>All you need is to have entries that are ''syncable''. On the FDS side > >>this means > >>special objectclass and attribute values. On the AD side it only > >>means having the entries in the container configured in the syncagreement.> >> > >> > > > >If I have entries in DS that do not exist in AD, and I "Initiate Full Re- > >synchronization", then these entries should be created in AD, correct? > > > Incorrect. As I said, they need very particular schema to be sync''ed > > (entries from AD to FDS will be sync''ed even if they only have basic > AD schema though). There is a bit of doc on this here : > http://www.redhat.com/docs/manuals/dir- > server/ag/7.1/sync.html#2859623 The easiest route might be for you > to create a test user using the java console > (make it an ''nt user'') and then copy the object class and attributes > from that. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users------- End of Original Message -------
One more entry is required -- objectclass: ntuser -Glenn. ---------- Original Message ----------- From: "Glenn" <glenn@mail.txwes.edu> To: david_list@boreham.org, "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Mon, 8 Jan 2007 14:32:07 -0600 Subject: Re: [Fedora-directory-users] Windows Sync Errors> O.K., I think I have it now. It seems that the DS entry must have > an "ntUserDomainID" attribute before Windows Sync can write it to > the AD. Also, the "ntusercreatenewaccount" attribute must have a > value of true. These attributes and their values can be adjusted in > the console directory editor under each user''s NT User page. > > Some attributes and their counterparts in Active Directory are > mentioned in the Windows Sync manual, but the requirements for > synchronization are not plainly enumerated. Such a list might make > a worthwhile addition to a future edition of the manual. > > Thanks for your kind responses! -Glenn. > > ---------- Original Message ----------- > From: David Boreham <david_list@boreham.org> > To: "General discussion list for the Fedora Directory server > project." <fedora-directory-users@redhat.com> > Sent: Mon, 08 Jan 2007 10:46:26 -0700 Subject: Re: [Fedora-directory- > users] Windows Sync Errors > > > Glenn wrote: > > > > >>All you need is to have entries that are ''syncable''. On the FDS side > > >>this means > > >>special objectclass and attribute values. On the AD side it only > > >>means having the entries in the container configured in the sync > agreement. > > >> > > >> > > > > > >If I have entries in DS that do not exist in AD, and I "Initiate Full Re- > > >synchronization", then these entries should be created in AD, correct? > > > > > Incorrect. As I said, they need very particular schema to be sync''ed > > > > (entries from AD to FDS will be sync''ed even if they only have basic > > AD schema though). There is a bit of doc on this here : > > http://www.redhat.com/docs/manuals/dir- > > server/ag/7.1/sync.html#2859623 The easiest route might be for you > > to create a test user using the java console > > (make it an ''nt user'') and then copy the object class and attributes > > from that. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------- End of Original Message ------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users------- End of Original Message -------