Timothy Hunt
2007-Oct-25 17:33 UTC
[Fedora-directory-users] Problem with getting FDS and AD to sync
I''ve taken over control of an FDS and an AD server which had been set up before I got to it. I''m still fairly new to LDAP and related things. I come from a unix background rather than windows. At some point, users put into FDS were replicated on the AD server correctly. Subsequently, the flat "structure" of the users in FDS was improved to be more hierarchical. However, new users added into FDS are not being added into AD. I''m also not familiar enough with AD to know where to see the OU structure that is present in FDS in AD. I''m not even sure if AD would have that structure. I''m at a bit of a loss as to how to start diagnosing where the problem is, let alone fixing it. I''ve looked at http://directory.fedoraproject.org/wiki/ Howto:WindowsSync but as that is focussed on setting it up initially, I''m not sure how much of it applies. Help on how to start solving this welcomed. Timothy
Richard Megginson
2007-Oct-25 17:50 UTC
Re: [Fedora-directory-users] Problem with getting FDS and AD to sync
Timothy Hunt wrote:> I''ve taken over control of an FDS and an AD server which had been set > up before I got to it. I''m still fairly new to LDAP and related > things. I come from a unix background rather than windows. > > At some point, users put into FDS were replicated on the AD server > correctly. Subsequently, the flat "structure" of the users in FDS was > improved to be more hierarchical. However, new users added into FDS > are not being added into AD. I''m also not familiar enough with AD to > know where to see the OU structure that is present in FDS in AD. I''m > not even sure if AD would have that structure. I''m at a bit of a loss > as to how to start diagnosing where the problem is, let alone fixing it. > > I''ve looked at > http://directory.fedoraproject.org/wiki/Howto:WindowsSync but as that > is focussed on setting it up initially, I''m not sure how much of it > applies.http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267> > Help on how to start solving this welcomed. > > Timothy > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Timothy Hunt
2007-Oct-26 19:24 UTC
Re: [Fedora-directory-users] Problem with getting FDS and AD to sync
On Oct 25, 2007, at 12:50 PM, Richard Megginson wrote:> Timothy Hunt wrote: >> I''ve taken over control of an FDS and an AD server which had been >> set up before I got to it. I''m still fairly new to LDAP and >> related things. I come from a unix background rather than windows. >> >> At some point, users put into FDS were replicated on the AD server >> correctly. Subsequently, the flat "structure" of the users in FDS >> was improved to be more hierarchical. However, new users added >> into FDS are not being added into AD. I''m also not familiar >> enough with AD to know where to see the OU structure that is >> present in FDS in AD. I''m not even sure if AD would have that >> structure. I''m at a bit of a loss as to how to start diagnosing >> where the problem is, let alone fixing it. >> >> I''ve looked at http://directory.fedoraproject.org/wiki/ >> Howto:WindowsSync but as that is focussed on setting it up >> initially, I''m not sure how much of it applies. > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 >> >>Thanks, Richard, As our AD server isn''t yet being used, I decided to break the existing sync agreement, wipe the users on the AD server, and start a new sync agreement. I''ve got "replication" logging set and I''m getting this in the FDS log files [26/Oct/2007:14:15:38 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): Replication session backing off for 191 seconds [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): State: backoff -> backoff [26/Oct/2007:14:18:50 -0500] - acquire_replica, supplier RUV: [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - supplier: {replicageneration} 4693ce97000000010000 [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - supplier: {replica 1 ldap://ds1.intraisp.com:389} 469ee73e000000010000 47223b23000000010000 47223b23 [26/Oct/2007:14:18:50 -0500] - acquire_replica, consumer RUV: [26/Oct/2007:14:18:50 -0500] - acquire_replica, consumer RUV = null [26/Oct/2007:14:18:50 -0500] - acquire_replica, supplier RUV is newer [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): Trying secure slapi_ldap_init [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): binddn = CN=Administrator,CN=Users,DC=directory,DC=intraisp,DC=com, passwd = {DES}cwngvvY1zCw[26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): Disconnected from the consumer [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): Beginning linger on the connection [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): No linger on the closed conn [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): Replication session backing off for 299 seconds the "summary" tab of the AD sync agreement on FDS says Last update message: - LDAP error: Can''t contact LDAP server: Error Code: 81 But I can connect to port 636 on the AD server from the RDS box without a problem. Any suggestions? Timothy
Richard Megginson
2007-Oct-26 19:50 UTC
Re: [Fedora-directory-users] Problem with getting FDS and AD to sync
Timothy Hunt wrote:> > On Oct 25, 2007, at 12:50 PM, Richard Megginson wrote: > >> Timothy Hunt wrote: >>> I''ve taken over control of an FDS and an AD server which had been >>> set up before I got to it. I''m still fairly new to LDAP and related >>> things. I come from a unix background rather than windows. >>> >>> At some point, users put into FDS were replicated on the AD server >>> correctly. Subsequently, the flat "structure" of the users in FDS >>> was improved to be more hierarchical. However, new users added into >>> FDS are not being added into AD. I''m also not familiar enough with >>> AD to know where to see the OU structure that is present in FDS in >>> AD. I''m not even sure if AD would have that structure. I''m at a >>> bit of a loss as to how to start diagnosing where the problem is, >>> let alone fixing it. >>> >>> I''ve looked at >>> http://directory.fedoraproject.org/wiki/Howto:WindowsSync but as >>> that is focussed on setting it up initially, I''m not sure how much >>> of it applies. >> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 >>> >>> > > Thanks, Richard, > > As our AD server isn''t yet being used, I decided to break the existing > sync agreement, wipe the users on the AD server, and start a new sync > agreement. > > I''ve got "replication" logging set and I''m getting this in the FDS log > files > > [26/Oct/2007:14:15:38 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): Replication session backing off for 191 seconds > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): State: backoff -> backoff > [26/Oct/2007:14:18:50 -0500] - acquire_replica, supplier RUV: > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - supplier: > {replicageneration} 4693ce97000000010000 > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - supplier: > {replica 1 ldap://ds1.intraisp.com:389} 469ee73e000000010000 > 47223b23000000010000 47223b23 > [26/Oct/2007:14:18:50 -0500] - acquire_replica, consumer RUV: > [26/Oct/2007:14:18:50 -0500] - acquire_replica, consumer RUV = null > [26/Oct/2007:14:18:50 -0500] - acquire_replica, supplier RUV is newer > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): Trying secure slapi_ldap_init > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): binddn = > CN=Administrator,CN=Users,DC=directory,DC=intraisp,DC=com, passwd = > {DES}cwngvvY1zCw> [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): Disconnected from the consumer > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): Beginning linger on the connection > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): No linger on the closed conn > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): Replication session backing off for 299 seconds > > the "summary" tab of the AD sync agreement on FDS says > Last update message: - LDAP error: Can''t contact LDAP server: Error > Code: 81 > > But I can connect to port 636 on the AD server from the RDS box > without a problem.Can you connect to port 389 on the AD server? Is it possible you have configured it to use port 636 but not to use SSL (or vice versa)?> > Any suggestions? > > Timothy > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Timothy Hunt
2007-Oct-26 20:38 UTC
Re: [Fedora-directory-users] Problem with getting FDS and AD to sync
>> >> But I can connect to port 636 on the AD server from the RDS box >> without a problem. > Can you connect to port 389 on the AD server? Is it possible you > have configured it to use port 636 but not to use SSL (or vice versa)? >>Yes I can, but I also know for sure that 636 is using SSL. Timothy
Richard Megginson
2007-Oct-26 20:59 UTC
Re: [Fedora-directory-users] Problem with getting FDS and AD to sync
Timothy Hunt wrote:>>> >>> But I can connect to port 636 on the AD server from the RDS box >>> without a problem. >> Can you connect to port 389 on the AD server? Is it possible you >> have configured it to use port 636 but not to use SSL (or vice versa)? >>> > > Yes I can, but I also know for sure that 636 is using SSL.Did you configure the sync agreement to use SSL and to use port 636?> > Timothy > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Timothy Hunt
2007-Oct-26 21:04 UTC
Re: [Fedora-directory-users] Problem with getting FDS and AD to sync
>> >> Yes I can, but I also know for sure that 636 is using SSL. > Did you configure the sync agreement to use SSL and to use port 636? >> >>Yes. Timothy
Richard Megginson
2007-Oct-26 21:12 UTC
Re: [Fedora-directory-users] Problem with getting FDS and AD to sync
Timothy Hunt wrote:>>> >>> Yes I can, but I also know for sure that 636 is using SSL. >> Did you configure the sync agreement to use SSL and to use port 636? >>> >>> > > Yes.Can you use ldapsearch from the command line? e.g. cd /opt/fedora-ds/shared/bin ./ldapsearch -h adhostname -p 636 -D "cn=administrator,cn=Users,dc=your,dc=domain,dc=com" -w adpassword -Z -P /opt/fedora-ds/alias/slapd-instance-cert8.db -s base -b "" "objectclass=*"> > Timothy > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users