<div dir="ltr">Thanks for the help Rich.<div><br></div><div>Looking at the log I noticed some extra characters in the DN that corresponds to "Search Base". I got the Windows admin to share his RDP session to the DC and had a look at the registry in "<span style="color:black;font-family:"Segoe UI",sans-serif;font-size:10pt">HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync". I noticed the same characters in the "Search Base" key. I think the extra characters were accidentally copy-pasted from the documentation I sent them.</span></div><div><span style="color:black;font-family:"Segoe UI",sans-serif;font-size:10pt"><br></span></div><div><span style="color:black;font-family:"Segoe UI",sans-serif;font-size:10pt">Removing them and restarting the service has resolved the problem.</span></div><div><span style="color:black;font-family:"Segoe UI",sans-serif;font-size:10pt"><br></span></div><p class="MsoNormal" style="margin-bottom:0.0001pt"></p></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 20, 2016 at 3:49 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><span class=""> <div>On 06/18/2016 05:47 AM, Toby Gale wrote:<br> </div> <blockquote type="cite"> <p dir="ltr">Hello,</p> <p dir="ltr">After successfully adding a 'winsync' agreement and loading AD data into FreeIPA I am trying to configure the password sync software on the domain controllers.</p> <p dir="ltr">I have installed the certificates and can successfully bind from the domain controller using ldp.exe and the 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user.</p> <p dir="ltr">I have edited the registry to increase logging, by setting 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing the error:</p> <p dir="ltr"><font color="#000000">06/17/16 08:47:32: Backoff time expired. Attempting sync</font><br> <font color="#000000">06/17/16 08:47:32: Password list has 1 entries</font><br> <font color="#000000">06/17/16 08:47:32: Attempting to sync password for some.user</font><br> <font color="#000000">06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)</font><br> <font color="#000000">06/17/16 08:47:32: Ldap error in QueryUsername</font><br> <font color="#000000"> 34: Invalid DN syntax</font><br> </p> </blockquote> <br></span> Take a look at the 389/dirsrv access log on your linux host at /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error corresponding to this - it should be at the same approximate date/time (make sure you check your time zones) and the RESULT line should have err=34<span class=""><br> <br> <blockquote type="cite"> <p dir="ltr"> <font color="#000000">06/17/16 08:47:32: Deferring password change for some.user</font><br> <font color="#000000">06/17/16 08:47:32: Backing off for 1024000ms</font><br> </p> <p dir="ltr"><font color="#000000">When I run the query from the CLI, it is successful:</font><br> </p> <p dir="ltr"><font color="#000000">$ ldapsearch -x -h <a>ldaps://localhost</a> -p 636 -D 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' '(ntuserdomainid=some.user)'</font></p> <p dir="ltr"><font color="#000000">Can anyone help me resolve this?</font></p> <p dir="ltr"><font color="#000000">Thanks.</font></p> <br> <fieldset></fieldset> <br> </blockquote> <p><br> </p> </span></div> <br>--<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>