[Freeipa-users] Synchronization Agreements between FreeIPA and AD
Rich Megginson
rmeggins at redhat.com
Wed Oct 29 14:07:52 UTC 2014
On 10/29/2014 03:19 AM, Сапегин Валерий wrote:
> Yes Dmitri, ldapsearch works good:
>
> [root at ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/
> ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru
> <http://csbi-it-dc01.csbigroup.ru> -D
> "cn=ipa-test,cn=users,dc=csbigroup,dc=ru" -w "ttttttttt" -s base -b
> "cn=users,dc=csbigroup,dc=ru"
> dn: cn=users,dc=csbigroup,dc=ru
> objectClass: top
> objectClass: container
> cn: Users
> description: Default container for upgraded user accounts
> distinguishedName: CN=Users,DC=csbigroup,DC=ru
> instanceType: 4
> ...
> ...
>
Ok. Now try to do a windows sync with the dirsrv replication error log
level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
Then we can take a look at the detailed errors.
>
> С уважением, Сапегин Валерий
>
> 2014-10-23 16:19 GMT+04:00 Сапегин Валерий <unitaip at gmail.com
> <mailto:unitaip at gmail.com>>:
>
> Hello!
>
> I tryed to configure synchronization between FreeIPA and Windows
> AD 2012. In the thirst time accounts from AD synchronization
> properly but next schedule after 5 min is not work and in error
> log I see the following errors:
>
> # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors
> [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin -
> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
> Replica has no update vector. It has never been initialized.
> [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin -
> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
> Replica has no update vector. It has never been initialized.
> [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin -
> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
> Replica has no update vector. It has never been initialized.
>
> Thirst synchronization out
>
> Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to
> certificate database for ipa.test-csbi-its.ru
> <http://ipa.test-csbi-its.ru>
> ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru
> Windows PassSync entry exists, not resetting password
> ipa: INFO: Added new sync agreement, waiting for it to become
> ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: 0
> Replica acquired successfully: Incremental update started: start:
> 0: end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Update in progress, 13 seconds elapsed
> [ipa.test-csbi-its.ru <http://ipa.test-csbi-its.ru>] reports:
> Update failed! Status: [-1 Total update abortedLDAP error: Can't
> contact LDAP server]
>
> Failed to start replication
>
>
>
> FreeIPA server version 3.3.3
> OS version Centos 7
> AD Domain 2012
>
> Can you help me to resolve this problem?
>
> Best regards, Valeriy
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141029/238283c6/attachment.htm>
More information about the Freeipa-users
mailing list