[Fedora-directory-users] Windows Sync Error

Glenn glenn at mail.txwes.edu
Wed Nov 29 22:20:12 UTC 2006 

David, Richard - Thanks for the pointers.  I took the ldif created by 
Windows Sync for one user and stripped it completely, then added lines from 
the original until it would import into Active Directory.  I was not able to 
make ldapmodify connect to the AD server, so I continued to use ldifde on 
the AD server itself.  I made a few import rules from this experience:

- LDAP attributes cannot be blank.  In the example below, I had to remove 
the entries for userparameters, userworkstations, homeDirectory and 
profilepath for the file to import.

- I had to remove the codepage entry.  I don't know whether AD objects to 
the attribute, the data, and/or the extra colon.

- My directory includes the domain name and a colon in samaccountname.  I 
don't know whether to blame this on the ldif export from Netscape Directory 
or the import to DS 7.1, but AD does not allow colons in this data.  Also, 
the domain name should not be included, because this attribute is mapped 
to "pre-W2000 logon name" in Active Directory, which does not include the 
domain name.

- The userprincipalname attribute has the same problem.

The Windows Sync documentation indicates that Windows Sync will populate an 
Active Directory, but I find this difficult to believe given the 
limitations noted above.  I admit that I haven't tried working with the 
schema.  I'm thinking it might be faster to export an ldif from the 
Directory Server, clean it up with a word processor, and import it into AD 
using the Microsoft ldifde tool.

But will synchronization work any better than initialization, given the 
differences that will exist between data in the two directories?  Should I 
remove all the entries from the Directory Server after cleaning up the ldif, 
and import that into the Directory Server as well as the AD?   -Glenn.

Example:

dn: cn=John Doe,ou=Domain Users,dc=ad,dc=example,dc=com 
objectClass: top 
objectClass: person 
objectClass: organizationalperson 
objectClass: user 
userprincipalname: TWU:jdoe at ad.example.com 
samaccountname: TWU:jdoe 
mail: jdoe at example.com 
userparameters: 
description: Reference Librarian 
sn: Doe 
telephoneNumber: 817-555-1234 
codepage:: AAAAAA== 
cn: John Doe 
userworkstations: 
title: Electronic Reference Librarian 
homeDirectory: 
profilepath: 
givenName: John 
facsimileTelephoneNumber: 817-555-2345 
scriptpath: nt_script.bat 



---------- Original Message -----------
From: David Boreham <david_list at boreham.org>
To: "General discussion list for the Fedora Directory server project." 
<fedora-directory-users at redhat.com>
Sent: Tue, 28 Nov 2006 17:57:56 -0700
Subject: Re: [Fedora-directory-users] Windows Sync Error

> Glenn wrote:
> 
> >I wasn't thinking when I said the directory server data was imported from 
> >NT.  It actually came from a Netscape Directory server.  Just as a test, 
I 
> >exported a few users to an ldif file and tried to use the ldifde on the 
W2003 
> >domain controller to import them.  It seems to find a syntax error on 
every 
> >line in the file, making it impossible to narrow it down.
> >
> >I can't possibly be the only person who has run into this problem.  
Hoping 
> >someone can shed some light.  Thanks.   -Glenn.
> >  
> >
> We ran into this problem while developing the code.
> Unfortunately AD is brain-damaged with it comes to
> diagnosing why it objected to a particular operation.
> There seems to be no way to get it to log some decent
> diagnostic information, and it does not provide an adequate
> error message over the wire.
> 
> In debugging these problems I first added the code that you
> have seen that dumps out the complete entry to the log.
> Then I pasted the entry into an ldapmodify command
> to reproduce the problem outside the server. Finally I
> edited the LDIF to trim off likely looking attributes until
> AD quit complaining. At that point I knew which one it
> was barfing over.
> 
> I would begin by removing all the NT domain related
> attributes from a test entry and see if it adds ok.
> Then add them back one by one to see which is
> causing the problem.
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
------- End of Original Message -------

More information about the Fedora-directory-users mailing list