[Freeipa-users] Active Directory password sync fails with RC 34
Rich Megginson
rmeggins at redhat.com
Mon Jun 20 14:49:14 UTC 2016
On 06/18/2016 05:47 AM, Toby Gale wrote:
>
> Hello,
>
> After successfully adding a 'winsync' agreement and loading AD data
> into FreeIPA I am trying to configure the password sync software on
> the domain controllers.
>
> I have installed the certificates and can successfully bind from the
> domain controller using ldp.exe and the
> 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user.
>
> I have edited the registry to increase logging, by setting
> 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am
> seeing the error:
>
> 06/17/16 08:47:32: Backoff time expired. Attempting sync
> 06/17/16 08:47:32: Password list has 1 entries
> 06/17/16 08:47:32: Attempting to sync password for some.user
> 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)
> 06/17/16 08:47:32: Ldap error in QueryUsername
> 34: Invalid DN syntax
>
Take a look at the 389/dirsrv access log on your linux host at
/var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error
corresponding to this - it should be at the same approximate date/time
(make sure you check your time zones) and the RESULT line should have err=34
> 06/17/16 08:47:32: Deferring password change for some.user
> 06/17/16 08:47:32: Backing off for 1024000ms
>
> When I run the query from the CLI, it is successful:
>
> $ ldapsearch -x -h ldaps://localhost -p 636 -D
> 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w
> 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com'
> '(ntuserdomainid=some.user)'
>
> Can anyone help me resolve this?
>
> Thanks.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160620/8fbd728f/attachment.htm>
More information about the Freeipa-users
mailing list