<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/13/2014 05:14 AM, Сапегин Валерий
wrote:<br>
</div>
<blockquote
cite="mid:CAOBEyk3J4d7D3jAmWn-4AkdKJ0DHg6e7cLtNUOc74OcQU5EHhQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><span lang="en"><span>Hi</span> <span>Rich</span>!<br>
<br>
<span>I turned on</span> <span>the log</span> <span>and</span>
<span>see</span> <span>the following records<br>
<br>
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt="cn=<a moz-do-not-send="true"
href="http://meTocsbi-it-dc01.csbigroup.ru"
target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>"
(csbi-it-dc01:389): State: start_backoff -> backoff<br>
[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier
RUV:<br>
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
supplier: {replicageneration} 5440f039000000030000<br>
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
supplier: {replica 3 <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a moz-do-not-send="true"
href="http://ipa.test-csbi-its.ru:389" target="_blank">ipa.test-csbi-its.ru:389</a>}
5440f039000100030000 5464956e000000030000 5464956e<br>
[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer
RUV:<br>
[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer
RUV = null<br>
[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier
RUV is newer<br>
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt="cn=<a moz-do-not-send="true"
href="http://meTocsbi-it-dc01.csbigroup.ru"
target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>"
(csbi-it-dc01:389): Cancelling linger on the connection<br>
[13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time:
gen state before 546495820001:1415878018:0:0<br>
[13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time:
gen state after 546495860000:1415878022:0:0<br>
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt="cn=<a moz-do-not-send="true"
href="http://meTocsbi-it-dc01.csbigroup.ru"
target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>"
(csbi-it-dc01:389): State: backoff -> sending_updates<br>
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt="cn=<a moz-do-not-send="true"
href="http://meTocsbi-it-dc01.csbigroup.ru"
target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>"
(csbi-it-dc01:389): Replica has no update vector. It has
never been initialized.<br>
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt="cn=<a moz-do-not-send="true"
href="http://meTocsbi-it-dc01.csbigroup.ru"
target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>"
(csbi-it-dc01:389): Beginning linger on the connection<br>
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt="cn=<a moz-do-not-send="true"
href="http://meTocsbi-it-dc01.csbigroup.ru"
target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>"
(csbi-it-dc01:389): State: sending_updates ->
start_backoff<br>
<br>
</span></span></div>
</div>
</blockquote>
<br>
There is no windows sync trace activity here. You have to first
enable the replication log level, then do something that will
trigger windows sync activity.<br>
<br>
<blockquote
cite="mid:CAOBEyk3J4d7D3jAmWn-4AkdKJ0DHg6e7cLtNUOc74OcQU5EHhQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div dir="ltr">Best regards, Valeriy<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div><span lang="en"><span></span></span><font color="#000000">
<div><br>
</div>
<div><br>
On 10/29/2014 03:19 AM, Сапегин Валерий wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><font color="#000000">Yes </font><font
color="#000000">Dmitri, ldapsearch works good:<br>
<br>
[root ipa ~]#
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/
ldapsearch -xLLL -ZZ -h <a moz-do-not-send="true"
rel="nofollow"
href="http://csbi-it-dc01.csbigroup.ru"
target="_blank">csbi-it-dc01.csbigroup.ru</a> -D
"cn=ipa-test,cn=users,dc=csbigroup,dc=ru" -w
"ttttttttt" -s base -b "cn=users,dc=csbigroup,dc=ru"<br>
dn: cn=users,dc=csbigroup,dc=ru<br>
objectClass: top<br>
objectClass: container<br>
cn: Users<br>
description: Default container for upgraded user
accounts<br>
distinguishedName: CN=Users,DC=csbigroup,DC=ru<br>
instanceType: 4<br>
...<br>
...<br>
<br>
</font></div>
</blockquote>
<br>
Ok. Now try to do a windows sync with the dirsrv
replication error log level - <a moz-do-not-send="true"
rel="nofollow"
href="http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting"
target="_blank">http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting</a><br>
<br>
Then we can take a look at the detailed errors.<br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br clear="all">
<div>
<div dir="ltr">С уважением, Сапегин Валерий<br>
</div>
</div>
<br>
<div class="gmail_quote">2014-10-23 16:19 GMT+04:00
Сапегин Валерий <span dir="ltr"><<a
moz-do-not-send="true" rel="nofollow"
href="mailto:unitaip%20gmail%20com"
target="_blank">unitaip gmail com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div> Hello!<br>
<br>
</div>
I tryed to configure synchronization
between FreeIPA and Windows AD 2012. In
the thirst time accounts from AD
synchronization properly but next schedule
after 5 min is not work and in error log I
see the following errors:<br>
<br>
# tail -f
/var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors<br>
[23/Oct/2014:15:51:34 +0300]
NSMMReplicationPlugin - agmt="cn=<a
moz-do-not-send="true" rel="nofollow"
href="http://meTocsbi-it-dc01.csbigroup.ru"
target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>"
(csbi-it-dc01:389): Replica has no update
vector. It has never been initialized.<br>
[23/Oct/2014:15:51:37 +0300]
NSMMReplicationPlugin - agmt="cn=<a
moz-do-not-send="true" rel="nofollow"
href="http://meTocsbi-it-dc01.csbigroup.ru"
target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>"
(csbi-it-dc01:389): Replica has no update
vector. It has never been initialized.<br>
[23/Oct/2014:15:51:40 +0300]
NSMMReplicationPlugin - agmt="cn=<a
moz-do-not-send="true" rel="nofollow"
href="http://meTocsbi-it-dc01.csbigroup.ru"
target="_blank">meTocsbi-it-dc01.csbigroup.ru</a>"
(csbi-it-dc01:389): Replica has no update
vector. It has never been initialized.<br>
<br>
</div>
<div>Thirst synchronization out<br>
<br>
Added CA certificate
/etc/openldap/certs/CSBIGROUP-CA.crt to
certificate database for <a
moz-do-not-send="true" rel="nofollow"
href="http://ipa.test-csbi-its.ru"
target="_blank">ipa.test-csbi-its.ru</a><br>
ipa: INFO: AD Suffix is:
DC=csbigroup,DC=ru<br>
The user for the Windows PassSync service
is
uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru<br>
Windows PassSync entry exists, not
resetting password<br>
ipa: INFO: Added new sync agreement,
waiting for it to become ready . . .<br>
ipa: INFO: Replication Update in progress:
FALSE: status: 0 Replica acquired
successfully: Incremental update started:
start: 0: end: 0<br>
ipa: INFO: Agreement is ready, starting
replication . . .<br>
Starting replication, please wait until
this has completed.<br>
Update in progress, 13 seconds elapsed<br>
[<a moz-do-not-send="true" rel="nofollow"
href="http://ipa.test-csbi-its.ru"
target="_blank">ipa.test-csbi-its.ru</a>]
reports: Update failed! Status: [-1 Total
update abortedLDAP error: Can't contact
LDAP server]<br>
<br>
Failed to start replication<br>
<br>
<br>
</div>
<div><br>
</div>
FreeIPA server version 3.3.3<br>
</div>
OS version Centos 7<br>
</div>
AD Domain 2012<br>
<br>
</div>
<div>Can you help me to resolve this problem?<br>
</div>
<div><br>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div dir="ltr">Best regards, Valeriy<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</font><br>
</div>
</div>
</blockquote>
<br>
</body>
</html>