<div dir="ltr">Thanks for the help Rich.<div><br></div><div>Looking at the log I noticed some extra characters in the DN that corresponds to "Search Base". I got the Windows admin to share his RDP session to the DC and had a look at the registry in "<span style="color:black;font-family:"Segoe UI",sans-serif;font-size:10pt">HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync". I noticed the same characters in the "Search Base" key. I think the extra characters were accidentally copy-pasted from the documentation I sent them.</span></div><div><span style="color:black;font-family:"Segoe UI",sans-serif;font-size:10pt"><br></span></div><div><span style="color:black;font-family:"Segoe UI",sans-serif;font-size:10pt">Removing them and restarting the service has resolved the problem.</span></div><div><span style="color:black;font-family:"Segoe UI",sans-serif;font-size:10pt"><br></span></div><p class="MsoNormal" style="margin-bottom:0.0001pt"></p></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 20, 2016 at 3:49 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 06/18/2016 05:47 AM, Toby Gale
wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">Hello,</p>
<p dir="ltr">After successfully adding a 'winsync' agreement and
loading AD data into FreeIPA I am trying to configure the
password sync software on the domain controllers.</p>
<p dir="ltr">I have installed the certificates and can
successfully bind from the domain controller using ldp.exe and
the 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com'
user.</p>
<p dir="ltr">I have edited the registry to increase logging, by
setting 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to
'1' and I am seeing the error:</p>
<p dir="ltr"><font color="#000000">06/17/16 08:47:32: Backoff time
expired. Attempting sync</font><br>
<font color="#000000">06/17/16 08:47:32: Password list has 1
entries</font><br>
<font color="#000000">06/17/16 08:47:32: Attempting to sync
password for some.user</font><br>
<font color="#000000">06/17/16 08:47:32: Searching for
(ntuserdomainid=some.user)</font><br>
<font color="#000000">06/17/16 08:47:32: Ldap error in
QueryUsername</font><br>
<font color="#000000"> 34: Invalid DN syntax</font><br>
</p>
</blockquote>
<br></span>
Take a look at the 389/dirsrv access log on your linux host at
/var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the
error corresponding to this - it should be at the same approximate
date/time (make sure you check your time zones) and the RESULT line
should have err=34<span class=""><br>
<br>
<blockquote type="cite">
<p dir="ltr">
<font color="#000000">06/17/16 08:47:32: Deferring password
change for some.user</font><br>
<font color="#000000">06/17/16 08:47:32: Backing off for
1024000ms</font><br>
</p>
<p dir="ltr"><font color="#000000">When I run the query from the
CLI, it is successful:</font><br>
</p>
<p dir="ltr"><font color="#000000">$ ldapsearch -x -h
<a>ldaps://localhost</a> -p 636 -D
'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w
'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com'
'(ntuserdomainid=some.user)'</font></p>
<p dir="ltr"><font color="#000000">Can anyone help me resolve
this?</font></p>
<p dir="ltr"><font color="#000000">Thanks.</font></p>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<p><br>
</p>
</span></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>