• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

HowTO: Sync Active Directory with Directory Server

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
Stratus_ss said:
Is there anything in the pwdfile?
Click to expand...

I was able to generate a key. When I go to setup a new windows sync, it cannot contact AD. I can telnet into my Windows server from the host running the 389 directory server. Any suggestions?
 
Last edited:
I was able to get everything working except the sync. We're coming from 389 directory and moving to A.D, where as your post said if this error is we have not imported our directory to 389.
Each time I try to sync I get error
The consumer initialization has unsuccessfully completed.
The error received by the replica is: '32 Total update aborted LDAP error: No such object'.

/var/log/dirsrv/slapd
[24/May/2013:14:39:26 -0400] NSMMReplicationPlugin - agmt="cn=domain AD Sync" (dc1:389): Replica has no update vector. It has never been initialized.
[24/May/2013:14:39:28 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=domain AD Sync" (dc1:389)".
[24/May/2013:14:39:28 -0400] - Entry "uid=Guest,ou=People, dc=domain, dc=net" missing attribute "sn" required by object class "person"
[24/May/2013:14:39:28 -0400] - add value "20130520160255.0Z" to attribute type "dscorepropagationdata" in entry "CN=Administrator,CN=Users,DC=domain,DC=net" failed: duplicate new value
[24/May/2013:14:39:28 -0400] - add value "" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=net" failed: duplicate new value
[24/May/2013:14:39:28 -0400] - add value "20130520160255.0Z" to attribute type "dscorepropagationdata" in entry "CN=Administrator,CN=Users,DC=domain,DC=net" failed: duplicate new value
[24/May/2013:14:39:28 -0400] - Entry "uid=Administrator,ou=People, dc=domain, dc=net" missing attribute "sn" required by object class "person"
[24/May/2013:14:39:28 -0400] - Entry "uid=krbtgt,ou=People, dc=domain, dc=net" missing attribute "sn" required by object class "person"
[24/May/2013:14:39:28 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=net" failed: duplicate new value
[24/May/2013:14:39:28 -0400] - add value "20130520160255.0Z" to attribute type "dscorepropagationdata" in entry "CN=Administrator,CN=Users,DC=domain,DC=net" failed: duplicate new value
[24/May/2013:14:39:28 -0400] - add value "20130520160255.0Z" to attribute type "dscorepropagationdata" in entry "CN=Administrator,CN=Users,DC=domain,DC=net" failed: duplicate new value
 
Last edited:
I have not seen these errors before. It seems like there is something wrong with your Dirsrv setup (which I am sure you have already surmised)

I wish I had a better answer for you. Although I cant be sure, it may also be that you have not imported your AD schema properly. No such object would seem to indicate that you dont have the proper schemas
 
We're moving from 389 directory to AD, I didn't see a way to import from 389 to AD, only the other way around.

Once we get the directories synchronized we plan on moving all of our applications away from 389. We currently have about 1000 entries in 389 directory.
 
It may be that you need to figure out how to import standard LDAP schema into AD then. I am mostly no help when it comes to AD... i know just enough to enable my job and that is it
 
Last edited by a moderator:
One more issue with Redhat Directory 9

Hello,

Really this is very nice article.

I am setting up Redhat Directory 9 , and i have setup properly on Redhat 6.5 64 bit.
Now i have to synchronize. Actually you have taken same domain name for all 3 server, but i have different different domain name for rehdta and windows server.

So can you please give me advice what should i need to do with this issue.

Linux hostname is - server.example.com, and windows domain name is - abc.xom.

Now can you, please let me know, what should i need to put in domain name please.
what should i need to put in windows server sync info
==================
In bind as, should i put linux info or winfdows??

Akhilesh
 
I'm sorry I think there is a language issue here. I don't understand what you are asking me.

I dont really understand what the issue is
 
Stratus_ss said:
I'm sorry I think there is a language issue here. I don't understand what you are asking me.

I dont really understand what the issue is
Click to expand...

He has 3 servers, and 2 of them are named slightly different.
Windows is in this format: abc.com where the Linux (Redhat I assume) is named server.abc.com

He wants to know what server name he should put in to the Windows server to start the sync.


I don't have much experience with AD let alone AD with Windows and Unix but that's what I understand he wants. :)
 
Hi
thanks for the article, that was a nice one.

I have setup everything BUT the password sync part I have kept disable for a bit as I want to JUST sync users for start.
This is an Ubuntu --- Windows2012 setup (only 2 boxes)
Unidirectional setup "fromWindows" defined in the replication object.

The authentication gets through to the AD box, I can initialise the replica and that is all, it never gets any data into the DS.
I have follow all the steps certificate related...etc.. which they seem all right, but I cannot understand what happens.

Erorr log below:
Code: 
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): State: wait_for_changes -> wait_for_changes
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): State: wait_for_changes -> start
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): No linger to cancel on the connection
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): Disconnected from the consumer
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): State: start -> ready_to_acquire_replica
[01/Mar/2015:09:08:53 +0000] - acquire_replica, supplier RUV:
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - supplier: {replicageneration} 54f0c078000000010000
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - supplier: {replica 1 ldap://ldapserver.com:389} 54f23832000000010000 54f2d5e1000000010000 54f2d5e1
[01/Mar/2015:09:08:53 +0000] - acquire_replica, consumer RUV:
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - consumer: {replicageneration} 54f0c078000000010000
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - consumer: {replica 1 ldap://ldapserver.com:389} 54f23832000000010000 54f2d5e1000000010000 54f2d5e1
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): Trying secure slapi_ldap_init_ext

[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): binddn = cn=user Sync,cn=Users,dc=windows,dc=activedirectory,dc=com,  passwd = {DES}s/tdsdsdsd
[01/Mar/2015:09:08:53 +0000] - windows_conn_connect : detected Win2k3 or later peer
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): No linger to cancel on the connection
[01/Mar/2015:09:08:53 +0000] - _csngen_adjust_local_time: gen state before 54f2d6e10002:1425200865:0:0
[01/Mar/2015:09:08:53 +0000] - _csngen_adjust_local_time: gen state after 54f2d7250000:1425200933:0:0
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - windows_acquire_replica returned success (101)
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): State: ready_to_acquire_replica -> sending_updates
[01/Mar/2015:09:08:53 +0000] - csngen_adjust_time: gen state before 54f2d7250001:1425200933:0:0
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: found DB object 7f462249add0 for database /var/lib/dirsrv/slapd-instance/changelogdb/c3b80d03-beb311e4-8df9a16f-b0f06c9b_54f0c078000000010000.db
[01/Mar/2015:09:08:53 +0000] - _cl5PositionCursorForReplay (agmt="cn=windows.activedirectory.com" (adserver:636)): Consumer RUV:
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - agmt="cn=windows.activedirectory.com" (adserver:636): {replicageneration} 54f0c078000000010000
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - agmt="cn=windows.activedirectory.com" (adserver:636): {replica 1 ldap://ldapserver.com:389} 54f23832000000010000 54f2d5e1000000010000 54f2d5e1
[01/Mar/2015:09:08:53 +0000] - _cl5PositionCursorForReplay (agmt="cn=windows.activedirectory.com" (adserver:636)): Supplier RUV:
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - agmt="cn=windows.activedirectory.com" (adserver:636): {replicageneration} 54f0c078000000010000
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - agmt="cn=windows.activedirectory.com" (adserver:636): {replica 1 ldap://ldapserver.com:389} 54f23832000000010000 54f2d5e1000000010000 54f2d5e1
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): No changes to send
[01/Mar/2015:09:08:53 +0000] - Calling dirsync search request plugin
[01/Mar/2015:09:08:53 +0000] - Sending dirsync search request
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): Beginning linger on the connection
[01/Mar/2015:09:08:53 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): State: sending_updates -> wait_for_changes
[01/Mar/2015:09:09:24 +0000] - _csngen_adjust_local_time: gen state before 54f2d7250001:1425200933:0:0
[01/Mar/2015:09:09:24 +0000] - _csngen_adjust_local_time: gen state after 54f2d7440000:1425200964:0:0
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 54f2d744000000010000 into pending list
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - Purged state information from entry ou=People,dc=windows,dc=activedirectory,dc=com up to CSN 54e99b61000000010000
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 7f462249add0 for database /var/lib/dirsrv/slapd-instance/changelogdb/c3b80d03-beb311e4-8df9a16f-b0f06c9b_54f0c078000000010000.db
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 7f462249add0 for database /var/lib/dirsrv/slapd-instance/changelogdb/c3b80d03-beb311e4-8df9a16f-b0f06c9b_54f0c078000000010000.db
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 54f2d744000000010000
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): State: wait_for_changes -> wait_for_changes
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): State: wait_for_changes -> ready_to_acquire_replica
[01/Mar/2015:09:09:24 +0000] - acquire_replica, supplier RUV:
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - supplier: {replicageneration} 54f0c078000000010000
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - supplier: {replica 1 ldap://ldapserver.com:389} 54f23832000000010000 54f2d744000000010000 54f2d744
[01/Mar/2015:09:09:24 +0000] - acquire_replica, consumer RUV:
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - consumer: {replicageneration} 54f0c078000000010000
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - consumer: {replica 1 ldap://ldapserver.com:389} 54f23832000000010000 54f2d5e1000000010000 54f2d5e1
[01/Mar/2015:09:09:24 +0000] - acquire_replica, supplier RUV is newer
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): Cancelling linger on the connection
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - windows sync - windows_acquire_replica returned success (101)
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): State: ready_to_acquire_replica -> sending_updates
[01/Mar/2015:09:09:24 +0000] - csngen_adjust_time: gen state before 54f2d7440002:1425200964:0:0
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: found DB object 7f462249add0 for database /var/lib/dirsrv/slapd-instance/changelogdb/c3b80d03-beb311e4-8df9a16f-b0f06c9b_54f0c078000000010000.db
[01/Mar/2015:09:09:24 +0000] - _cl5PositionCursorForReplay (agmt="cn=windows.activedirectory.com" (adserver:636)): Consumer RUV:
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - agmt="cn=windows.activedirectory.com" (adserver:636): {replicageneration} 54f0c078000000010000
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - agmt="cn=windows.activedirectory.com" (adserver:636): {replica 1 ldap://ldapserver.com:389} 54f23832000000010000 54f2d5e1000000010000 54f2d5e1
[01/Mar/2015:09:09:24 +0000] - _cl5PositionCursorForReplay (agmt="cn=windows.activedirectory.com" (adserver:636)): Supplier RUV:
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - agmt="cn=windows.activedirectory.com" (adserver:636): {replicageneration} 54f0c078000000010000
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - agmt="cn=windows.activedirectory.com" (adserver:636): {replica 1 ldap://ldapserver.com:389} 54f23832000000010000 54f2d744000000010000 54f2d744
[01/Mar/2015:09:09:24 +0000] agmt="cn=windows.activedirectory.com" (adserver:636) - clcache_get_buffer: found thread private buffer cache 7f4604021ef0
[01/Mar/2015:09:09:24 +0000] agmt="cn=windows.activedirectory.com" (adserver:636) - clcache_get_buffer: _pool is 7f462248e080 _pool->pl_busy_lists is 7f4604001010 _pool->pl_busy_lists->bl_buffers is 7f4604021ef0
[01/Mar/2015:09:09:24 +0000] agmt="cn=windows.activedirectory.com" (adserver:636) - session start: anchorcsn=54f2d5e1000000010000
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=windows.activedirectory.com" (adserver:636): CSN 54f2d5e1000000010000 found, position set for replay
[01/Mar/2015:09:09:24 +0000] agmt="cn=windows.activedirectory.com" (adserver:636) - load=1 rec=1 csn=54f2d744000000010000
[01/Mar/2015:09:09:24 +0000] agmt="cn=windows.activedirectory.com" (adserver:636) - clcache_load_buffer: rc=-30988
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): No more updates to send (cl5GetNextOperationToReplay)
[01/Mar/2015:09:09:24 +0000] agmt="cn=windows.activedirectory.com" (adserver:636) - session end: state=5 load=1 sent=1 skipped=0 skipped_new_rid=0 skipped_csn_gt_cons_maxcsn=0 skipped_up_to_date=0 skipped_csn_gt_ruv=0 skipped_csn_covered=0
[01/Mar/2015:09:09:24 +0000] - Calling dirsync search request plugin
[01/Mar/2015:09:09:24 +0000] - Sending dirsync search request
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): Beginning linger on the connection
[01/Mar/2015:09:09:24 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=windows.activedirectory.com" (adserver:636): State: sending_updates -> wait_for_changes
[01/Mar/2015:09:09:28 +0000] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: found DB object 7f462249add0 for database /var/lib/dirsrv/slapd-instance/changelogdb/c3b80d03-beb311e4-8df9a16f-b0f06c9b_54f0c078000000010000.db
[01/Mar/2015:09:09:28 +0000] NSMMReplicationPlugin - changelog program - cl5GetOperationCount: found DB object 7f462249add0

I have played with this for 2 weeks setting up every single possible change in DS related to Users, Groups, but I cannot understand why 389-DS does not feel able of getting the data out of AD?
I do not have a good error log showing a successful data import which I can compare with, so I do not know how to expect that.
To me looks like Windows is simply dropping the connection, but from a Windows perspective it seems ok as the User validates all right .

Any tips please?

Many thanks!
 
Have you tried giving the user admin rights just for testing (this is a test server right?). I have virtually no experience with Windows 2012 and I am not sure whether or not 2012 makes a difference. If (and this is a big IF) I get time to spin up a 2012 server I will try to walk through this and see if I can get the same results
 
Stratus_ss said:
Have you tried giving the user admin rights just for testing (this is a test server right?). I have virtually no experience with Windows 2012 and I am not sure whether or not 2012 makes a difference. If (and this is a big IF) I get time to spin up a 2012 server I will try to walk through this and see if I can get the same results
Click to expand...


The funny part is... This worked the very 1st time!! But I had to rebuilt the Ubuntu box and it never worked again.
Changes? mostly the hostname and the keys (obviously) I had to re-import again.
But, there is something that is NOT letting ldap to pull changes out of the Windows box.
From the top of your head..... what might be on the Windows box which might now stop this happening? what maybe... "leftover" should be the problem?

Any suggestions, very welcome and many thanks!
 
Stratus_ss said:
Have you tried giving the user admin rights just for testing (this is a test server right?). I have virtually no experience with Windows 2012 and I am not sure whether or not 2012 makes a difference. If (and this is a big IF) I get time to spin up a 2012 server I will try to walk through this and see if I can get the same results
Click to expand...
Hi
The issue was something down to Windows Permissions, specifically to the group which the Windows User should belong to.
So the Windows User should belong to the Domain Admin group, otherwise LDAP will connect all right to AD but WILL NOT BE ABLE of pulling any data out of it (that can be seen in the Windows EVENT Viewer tool)

Now the 2nd and last fun part is the windows Password Sync which is not working at all :

Code: 
[04/Mar/2015:16:13:00 -0800] conn=33 fd=64 slot=64 SSL connection from AD.server to ldap.server
[04/Mar/2015:16:13:00 -0800] conn=33 op=-1 fd=64 closed - Peer reports incompatible or unsupported protocol version.
[04/Mar/2015:16:47:09 -0800] conn=34 fd=64 slot=64 SSL connection from AD.server to ldap.server
[04/Mar/2015:16:47:09 -0800] conn=34 op=-1 fd=64 closed - Peer reports incompatible or unsupported protocol version.
[04/Mar/2015:17:55:26 -0800] conn=35 fd=64 slot=64 SSL connection from AD.server to ldap.server
[04/Mar/2015:17:55:26 -0800] conn=35 op=-1 fd=64 closed - Peer reports incompatible or unsupported protocol version.

In the Password Sync Tool in Windows using port: 636 (as expected) and the whole LDAP server has been setup for SSL...

Thanks!
 
I've Never seen this message before that almost implies that there has been some change in AD and password sync hasnt caught up yet
 
Unable to sync password

ldapsearch -x -ZZ '(uid=sasikumar_054at09)' = result: 0 Success

access log
05/May/2015:15:46:34 +051800] conn=5 SSL 256-bit AES
[05/May/2015:15:46:34 +051800] conn=5 op=1 BIND dn="" method=128 version=3
[05/May/2015:15:46:34 +051800] conn=5 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[05/May/2015:15:46:34 +051800] conn=5 op=2 SRCH base="dc=ahsan,dc=in" scope=2 filter="(uid=sasikumar_054at09)" attrs=ALL


Peer reports incompatible or unsupported protocol version

Please let me know the issue - 389 ds version 1.2
pass sync version 1.1.6

Thanks,
Sasikumar.P
 
Hi

I have following the entire walkthrough in setting up the 389 ds with AD and when I sync it doesn't show up the users as well as I cannot use the server to authenticate. any help would be really awesome.
 
There isnt a whole lot to go on. Do you see any errors? Have you investigated the logs on both the AD server and the 389 DS?

Have you created local users on the 389 server and see if you can authenticate with these? What about on the client? what do client logs show?
 
I am trying to follow this guide for prac in class and i get stuck at the stage of

> right clicking"useroot" and selecting "New Windows Sync Agreement"

I get an error that i havent configured Replica or Changelog

i cant save the previous step of entering the "uid=SMaster,cn=config"

i am running DS-389 version 1.3.7.5

This has been the ONLY guide i have been able to find that explain how to configure DS389 in plain english. i know its a 5 year old post i hope someone is still around to help me.

thanks
 
RandomAustralia said:
I am trying to follow this guide for prac in class and i get stuck at the stage of

> right clicking"useroot" and selecting "New Windows Sync Agreement"

I get an error that i havent configured Replica or Changelog

i cant save the previous step of entering the "uid=SMaster,cn=config"

i am running DS-389 version 1.3.7.5

This has been the ONLY guide i have been able to find that explain how to configure DS389 in plain english. i know its a 5 year old post i hope someone is still around to help me.

thanks
Click to expand...

Given the age of this tutorial I wonder what is your end goal. Perhaps I can help you through your requirements and that may or may not include the 389 server
 
You must log in or register to reply here.

Similar threads

don256us
We are #... oh forget it already. We have a new billionaire!!!
Replies
8
Views
378
ihrsetrdr
ihrsetrdr
don256us
FAQ: What is T32's current standing in the world?
Replies
8
Views
465
dfonda
dfonda
don256us
Last update before the big Folding race.
Replies
19
Views
488
HayesK
H
don256us
  • Sticky
Getting Started: Updated 12/12/22
Replies
10
Views
1K
Farwalker2u
Farwalker2u
don256us
#8 and 2 Billion for.....
Replies
6
Views
540
superducky
superducky
Back