<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/04/2014 01:53 PM, Todd Maugh
wrote:<br>
</div>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226C95F@EXCHMB1-ELS.BWINC.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">I tried changing the password for a
user in AD<br>
<br>
this is what the passsync log shows: <br>
<br>
<div>02/04/14 12:29:14: Ldap bind error in Connect</div>
<div><span class="" style="white-space:pre"></span>81: Can't
contact LDAP server</div>
<div>02/04/14 12:49:34: Ldap bind error in Connect</div>
<div><span class="" style="white-space:pre"></span>81: Can't
contact LDAP server</div>
<div>02/04/14 12:49:34: Ldap error in QueryUsername</div>
<div><span class="" style="white-space:pre"></span>81: Can't
contact LDAP server</div>
<div>02/04/14 12:49:36: Ldap bind error in Connect</div>
<div><span class="" style="white-space:pre"></span>81: Can't
contact LDAP server</div>
<div>02/04/14 12:49:36: Ldap error in QueryUsername</div>
<div><span class="" style="white-space:pre"></span>81: Can't
contact LDAP server<br>
<br>
<br>
and you say this is one of many issues with passsync. do you
recommend another option?<br>
</div>
</div>
</blockquote>
<br>
> LDAP bind error in connect<br>
> 81: Can't Contact LDAP Server<br>
<br>
That means<br>
1) ipa ldap server is down<br>
2) some sort of network problem<br>
3) incorrect host/port specified in passsync config<br>
4) host specified in passsync config is not the FQDN, or the FQDN
doesn't resolve both forward and reverse from the windows box<br>
5) host specified in the passsync config does not match the ipa ldap
server certificate subject dn<br>
6) incorrect CA cert installed in passsync cert db<br>
<br>
In order for AD to send a password, you have to change a password in
AD. When I said "This is one of the (many) problems with passsync",
I meant that passsync will not sync existing passwords from AD to
IdM. Passsync requires an AD password change operation in order to
sync a password. If you were expecting that your existing AD
passwords would just suddenly work in IdM, without having all of
your AD users change their passwords, that's not how passsync
works. There is no way to do that. This is but one of the reasons
why the AD/IdM cross domain trust solution is preferred.<br>
<br>
When I said "This is one of the (many) problems with passsync", I
most certainly did not mean that "LDAP bind error in connect<br>
> 81: Can't Contact LDAP Server" is one of the many problems.
It is almost always a configuration issue.<br>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226C95F@EXCHMB1-ELS.BWINC.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<div>
<br>
</div>
<br>
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF807741"><font
color="#000000" face="Tahoma" size="2"><b>From:</b> Todd
Maugh<br>
<b>Sent:</b> Tuesday, February 04, 2014 12:48 PM<br>
<b>To:</b> Rich Megginson; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> RE: Creating password sync<br>
</font><br>
</div>
<div>
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">but what about the "cant
contact LDAP server in the passsync log"<br>
<br>
and are you saying I should try to change one of the
passwords in AD for it to go to IDM, or vice versa?<br>
<br>
thanks<br>
<br>
<br>
<div style="font-family:Times New Roman; color:#000000;
font-size:16px">
<hr tabindex="-1">
<div id="divRpF189373" style="direction:ltr"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
Rich Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Tuesday, February 04, 2014 12:45 PM<br>
<b>To:</b> Todd Maugh; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: Creating password sync<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">On 02/04/2014 01:42 PM,
Todd Maugh wrote:<br>
</div>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">I have not changed
any passwords in AD yet.<br>
</div>
</blockquote>
<br>
Then passsync will not have sent anything.<br>
<br>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt"><br>
and the users I have in IDM from AD, their
passwords are not working<br>
</div>
</blockquote>
<br>
Right. This is one of the (many) problems with the
passsync approach - there currently is no way to
populate the initial passwords - that is, passsync/IdM
cannot copy your passwords over from AD to IdM.<br>
<br>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt"><br>
<br>
<div style="font-family:Times New Roman;
color:#000000; font-size:16px">
<hr tabindex="-1">
<div id="divRpF355147" style="direction:ltr"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
Rich Megginson [<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Tuesday, February 04, 2014
12:40 PM<br>
<b>To:</b> Todd Maugh; <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dpal@redhat.com"
target="_blank">
dpal@redhat.com</a><br>
<b>Cc:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: Creating password sync<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">On 02/04/2014
01:20 PM, Todd Maugh wrote:<br>
</div>
<blockquote type="cite">
<div style="direction:ltr;
font-family:Tahoma; color:#000000;
font-size:10pt">my passhook.log file is
empty<br>
</div>
</blockquote>
<br>
Have you changed any passwords in AD?<br>
<br>
<blockquote type="cite">
<div style="direction:ltr;
font-family:Tahoma; color:#000000;
font-size:10pt">
<div style="font-family:Times New Roman;
color:#000000; font-size:16px">
<hr tabindex="-1">
<div id="divRpF268312"
style="direction:ltr"><font
color="#000000" face="Tahoma"
size="2"><b>From:</b>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com"
target="_blank">
freeipa-users-bounces@redhat.com</a>
[<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com"
target="_blank">freeipa-users-bounces@redhat.com</a>]
on behalf of Todd Maugh [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tmaugh@boingo.com"
target="_blank">tmaugh@boingo.com</a>]<br>
<b>Sent:</b> Tuesday, February 04,
2014 11:56 AM<br>
<b>To:</b> Rich Megginson; <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dpal@redhat.com"
target="_blank">
dpal@redhat.com</a><br>
<b>Cc:</b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users]
Creating password sync<br>
</font><br>
</div>
<div>
<div style="direction:ltr;
font-family:Tahoma; color:#000000;
font-size:10pt">Im seeing these
errors in the passsync.log<br>
<br>
<span dir="ltr">
<div>32: No such object</div>
<div>02/03/14 16:23:40: Ldap error
in QueryUsername</div>
<div>32: No such object</div>
<div>02/03/14 16:57:48: Abandoning
password change for scottb,
backoff expired</div>
<div>02/03/14 16:57:48: Ldap bind
error in Connect</div>
<div>32: No such object</div>
<div>02/03/14 16:57:48: Ldap error
in QueryUsername</div>
<div>32: No such object</div>
<div>02/03/14 18:06:04: Abandoning
password change for scottb,
backoff expired</div>
<div>02/03/14 18:06:04: Ldap bind
error in Connect</div>
<div>32: No such object</div>
<div>02/04/14 10:24:59: PassSync
service initialized</div>
<div>02/04/14 10:24:59: PassSync
service running</div>
<div>02/04/14 10:25:00: Ldap bind
error in Connect</div>
<div>32: No such object</div>
<div>02/04/14 10:58:37: Ldap bind
error in Connect</div>
<div>32: No such object</div>
<div>02/04/14 10:58:37: PassSync
service stopped</div>
<div>02/04/14 10:58:38: PassSync
service initialized</div>
<div>02/04/14 10:58:38: PassSync
service running</div>
<div>02/04/14 10:58:39: Ldap bind
error in Connect</div>
<div>32: No such object</div>
<div><br>
<br>
</div>
</span><br>
<div style="font-family:Times New
Roman; color:#000000;
font-size:16px">
<hr tabindex="-1">
<div id="divRpF24542"
style="direction:ltr"><font
color="#000000" face="Tahoma"
size="2"><b>From:</b> Rich
Megginson [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Tuesday, February
04, 2014 9:19 AM<br>
<b>To:</b> Todd Maugh; <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dpal@redhat.com" target="_blank">
dpal@redhat.com</a><br>
<b>Cc:</b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com" target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: Creating
password sync<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">On
02/04/2014 10:17 AM, Todd
Maugh wrote:<br>
</div>
<blockquote type="cite">
<style id="owaParaStyle" type="text/css">
<!--
p
{margin-top:0;
margin-bottom:0}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
-->
BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style>
<div style="direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt">also I have
verified the password
synchronization service is
started and running on the
windows 2008 R2 server<br>
<br>
<br>
but I cant tell if or what
it is doing because iM not
getting passwords to my IDM<br>
</div>
</blockquote>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging"
target="_blank">http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging</a><br>
<br>
You can also look at the 389
access log to see if you have
connections from the windows
box.<br>
<br>
<blockquote type="cite">
<div style="direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt">
<div
style="font-family:Times
New Roman; color:#000000;
font-size:16px">
<hr tabindex="-1">
<div id="divRpF273180"
style="direction:ltr"><font
color="#000000"
face="Tahoma" size="2"><b>From:</b>
<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com"
target="_blank">
freeipa-users-bounces@redhat.com</a> [<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>]
on behalf of Todd
Maugh [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:tmaugh@boingo.com"
target="_blank">tmaugh@boingo.com</a>]<br>
<b>Sent:</b> Tuesday,
February 04, 2014 9:04
AM<br>
<b>To:</b> Rich
Megginson; <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com"
target="_blank">
dpal@redhat.com</a><br>
<b>Cc:</b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com"
target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b>
[Freeipa-users]
Creating password sync<br>
</font><br>
</div>
<div>
<div
style="direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt">Ok, So
I have my replication
agreement set up.<br>
<br>
and I see accounts
coming in to my IDM
server from AD<br>
<br>
I have followed this
guide from redhat <br>
<br>
<a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html"
target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html</a><br>
<br>
to set up my password
sync. <br>
<br>
I get no errors<br>
<br>
but my passwords are
not syncing!<br>
<br>
Help! the
documentation tells o
fno way to verify or
trouble shoot<br>
<br>
<br>
Thank You<br>
<br>
-Todd Maugh<br>
<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:tmaugh@boingo.com"
target="_blank">tmaugh@boingo.com</a><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>