Re: [389-users] Sync AD with 389-DS Unable to parse response

Rich Megginson Wed, 09 Feb 2011 07:47:44 -0800

On 02/09/2011 06:39 AM, remy d1 wrote:

Hi Rich,
I reinstalled all my server from scratch and reimported all my data(with cert files).
If I try to synchronize my data, I can import users from AD to 389-DSbut I can't do the opposite. My 389 server replica is always in status"in progress" with "replica acquired successfully : incremental updatestarted", but it can't finish the synchronization job.

Sometimes you have to tell winsync to do a full resync a few timesbefore it finally works.

I could also continue to launch request to my AD server from my 389-DSserver (ldapsearch...). I successfully add a user to my AD with ApacheDirectory Studio (installed on my 389-DS server) with the ADsynchronizing account. So, it's not an access problem.
Moreover I added a schema on my 389-DS for my directory that is notpresent on my AD. Do you think I have to add this schema to AD or isthe synchronization done only on AD required attributes ?

No. The schema that winsync uses is hard coded in 389 - you cannotextend it or change it - it should work with AD, no changes to AD shouldbe required.


Or,

Is it a cert file problem on my AD ?

or ...?

Any idea would be appreciated

Regards-

2011/1/25 Rich Megginson <rmegg...@redhat.com<mailto:rmegg...@redhat.com>>


    On 01/25/2011 01:29 AM, remy d1 wrote:

    Hi Rich,

    I tried to raise the log level, but when I did it, I was not able
    to stop/restart my dirsrv service.

    What log level did you use?  What error messages did you see when
    you attempted to stop/restart the service?  Anything in the errors
    log?

    To stop it, I must kill the process and remove the pid file. Then
    I could start it.

    In my error logs, there is a lot of informations :


    [root@KingKong ~]# tail /var/log/dirsrv/slapd-KingKong/errors
    [24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
    program - cl5GetOperationCount: could not get DB object for replica
    [24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
    program - _cl5GetDBFile: no DB object found for database
    
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
    [24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
    program - cl5GetOperationCount: could not get DB object for replica
    [24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog
    program - _cl5GetDBFile: no DB object found for database
    
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
    [24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog
    program - cl5GetOperationCount: could not get DB object for replica
    [24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog
    program - _cl5GetDBFile: no DB object found for database
    
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
    [24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog
    program - cl5GetOperationCount: could not get DB object for replica
    [24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog
    program - _cl5GetDBFile: no DB object found for database
    
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
    [24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog
    program - cl5GetOperationCount: could not get DB object for replica
    [24/Jan/2011:16:24:18 +0100] NSMMReplicationPlugin - changelog
    program - cl5ExportLDIF: failed to locate changelog file for
    replica at (dc=mydomain,dc=com)


    This problem is very similar to this post :
    
http://www.redhat.com/archives/fedora-directory-commits/2009-March/msg00005.html
    Although I have the last version of 389-DS.

Are you sure this is the correct post you wanted to refer to?Because this is a patch commit for a fix when moving the changelog

    directory - did you move the changelog directory?  Because you did
    not mention it in your earlier post.


    I think I have also some troubleshooting with my hostname because
    bind is not configured. However, I have choosen to put it my
    /etc/hosts file
    [root@KingKong ~]# nl /etc/host.conf
         1    multi on
         2    order hosts,bind
    hostname command reply the full "fqdn" if I choose the option
    --all-fqdn, contrary to the option "--fqdn". The reply is just my
    hostname without the domain. By the way, if I say
    #hostname KingKong.mydomain.com <http://KingKong.mydomain.com>
    Eveything is now good for my hostname but I can not launch my
    389-console. I think the adress to connect is not ok... I do not
    know if this problem is linked to the previous problems...

    So, I do #hostname KingKong
    Then, I launch the console again. Now, if I try to initiate a
    full synchronization, I can see (and I am still stuck on it) the
    window "please wait while data is being synchronized...", but
    nothing else... Data are not synchronized and I do not see
    anything in my Windows event viewer while replica agreement seems
    to be ok and PassSync service is installed...

    It is very difficult to change your hostname after you have
    configured the admin server and console.  I suggest starting over
    from scratch, and first make sure your hostname is correct.

    I also suggest using
    
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync
    to configure Windows Sync.



    Thanks for help,

    -Regards

    2011/1/21 Rich Megginson <rmegg...@redhat.com
    <mailto:rmegg...@redhat.com>>

        Date:
        Fri, 21 Jan 2011 10:25:56 +0100
        To:
        "General discussion list for the 389 Directory server
        project." <389-us...@lists.fedoraproject.org>
        <mailto:389-us...@lists.fedoraproject.org>


        Hi Rich,

        Thanks for this usefull link.

        I have successfully initiate replica between Windows AD and
        my server 389-DS. Ldapsearch is working. But even if
        everything seems to be ok, the update does not work and I do
        not see any error in the log files... So, my AD server stay
        empty, the accounts are not migrate...

        Here you have my access log file which is more verbose...
        (mydomain.com <http://mydomain.com> for the example) :

        <snip>

        Obviously I am connecting to the server 389-DS itself
        whereas it can resolve the DNS name of my Windows server...
        There is no error in the AD event viewer while I could see
        errors on it when it was misconfigured (like DirSync
        errors)... So, basically, the Windows server is contacted to
        my DS-Server over 2 different networks.

        Do you think I have to open the ports described in my message ?

        -Regards.

        I don't know.  There is no winsync information in the access
        log.  Note that the access log records client accesses to the
        directory server, and in winsync, the directory server itself
        acts as a client to AD, so winsync will log nothing in the
        access log.  The errors log could be helpful, and especially
        using the replication log level (which is also used for
        winsync logging).  The Windows Event Viewer is useless for
        winsync issues.

--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Sync AD with 389-DS Unable to parse response

Reply via email to