<div dir="ltr"><div><span lang="en"><span>Hi</span> <span>Rich</span>!<br><br> <span>I turned on</span> <span>the log</span> <span>and</span> <span>see</span> <span>the following records<br><br>[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=<a href="http://meTocsbi-it-dc01.csbigroup.ru" target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): State: start_backoff -> backoff<br>[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV:<br>[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier: {replicageneration} 5440f039000000030000<br>[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier: {replica 3 ldap://<a href="http://ipa.test-csbi-its.ru:389" target="_blank">ipa.test-csbi-its.ru:389</a>} 5440f039000100030000 5464956e000000030000 5464956e<br>[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV:<br>[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV = null<br>[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV is newer<br>[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=<a href="http://meTocsbi-it-dc01.csbigroup.ru" target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): Cancelling linger on the connection<br>[13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state before 546495820001:1415878018:0:0<br>[13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state after 546495860000:1415878022:0:0<br>[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=<a href="http://meTocsbi-it-dc01.csbigroup.ru" target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): State: backoff -> sending_updates<br>[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=<a href="http://meTocsbi-it-dc01.csbigroup.ru" target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): Replica has no update vector. It has never been initialized.<br>[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=<a href="http://meTocsbi-it-dc01.csbigroup.ru" target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): Beginning linger on the connection<br>[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=<a href="http://meTocsbi-it-dc01.csbigroup.ru" target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): State: sending_updates -> start_backoff<br><br><br></span></span></div><br><div dir="ltr"><div> <div> <div> <div> <div> <div> <div> <div dir="ltr">Best regards, Valeriy<br> </div> </div> </div> </div> </div> </div> </div> </div> </div> <br> <div><span lang="en"><span></span></span><font color="#000000"><div><br></div><div><br>On 10/29/2014 03:19 AM, Сапегин Валерий wrote:<br> </div> <blockquote type="cite"> <div dir="ltr"><font color="#000000">Yes </font><font color="#000000">Dmitri, ldapsearch works good:<br> <br> [root ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/ ldapsearch -xLLL -ZZ -h <a rel="nofollow" href="http://csbi-it-dc01.csbigroup.ru" target="_blank">csbi-it-dc01.csbigroup.ru</a> -D "cn=ipa-test,cn=users,dc=csbigroup,dc=ru" -w "ttttttttt" -s base -b "cn=users,dc=csbigroup,dc=ru"<br> dn: cn=users,dc=csbigroup,dc=ru<br> objectClass: top<br> objectClass: container<br> cn: Users<br> description: Default container for upgraded user accounts<br> distinguishedName: CN=Users,DC=csbigroup,DC=ru<br> instanceType: 4<br> ...<br> ...<br> <br> </font></div> </blockquote> <br> Ok. Now try to do a windows sync with the dirsrv replication error log level - <a rel="nofollow" href="http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting" target="_blank">http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting</a><br> <br> Then we can take a look at the detailed errors.<br> <br> <blockquote type="cite"> <div class="gmail_extra"><br clear="all"> <div> <div dir="ltr">С уважением, Сапегин Валерий<br> </div> </div> <br> <div class="gmail_quote">2014-10-23 16:19 GMT+04:00 Сапегин Валерий <span dir="ltr"><<a rel="nofollow" href="mailto:unitaip%20gmail%20com" target="_blank">unitaip gmail com</a>></span>:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div dir="ltr"> <div> <div> <div> <div> <div> Hello!<br> <br> </div> I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors:<br> <br> # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors<br> [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt="cn=<a rel="nofollow" href="http://meTocsbi-it-dc01.csbigroup.ru" target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): Replica has no update vector. It has never been initialized.<br> [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt="cn=<a rel="nofollow" href="http://meTocsbi-it-dc01.csbigroup.ru" target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): Replica has no update vector. It has never been initialized.<br> [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt="cn=<a rel="nofollow" href="http://meTocsbi-it-dc01.csbigroup.ru" target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): Replica has no update vector. It has never been initialized.<br> <br> </div> <div>Thirst synchronization out<br> <br> Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for <a rel="nofollow" href="http://ipa.test-csbi-its.ru" target="_blank">ipa.test-csbi-its.ru</a><br> ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru<br> The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru<br> Windows PassSync entry exists, not resetting password<br> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .<br> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0<br> ipa: INFO: Agreement is ready, starting replication . . .<br> Starting replication, please wait until this has completed.<br> Update in progress, 13 seconds elapsed<br> [<a rel="nofollow" href="http://ipa.test-csbi-its.ru" target="_blank">ipa.test-csbi-its.ru</a>] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server]<br> <br> Failed to start replication<br> <br> <br> </div> <div><br> </div> FreeIPA server version 3.3.3<br> </div> OS version Centos 7<br> </div> AD Domain 2012<br> <br> </div> <div>Can you help me to resolve this problem?<br> </div> <div><br> </div> <div> <div> <div> <div> <div> <div> <div> <div dir="ltr">Best regards, Valeriy<br> </div> </div> </div> </div> </div> </div> </div> </div> </div> </blockquote> </div> <br> </div> <br> <fieldset></fieldset> <br> </blockquote> </font><br></div></div>