[Freeipa-users] Active Directory password sync fails with RC 34

Rich Megginson rmeggins at redhat.com
Tue Jun 21 21:26:39 UTC 2016 

Great!  Glad you got that working.

Next step is to use AD trust instead of sync . . .

On 06/21/2016 12:58 AM, Toby Gale wrote:
> Thanks for the help Rich.
>
> Looking at the log I noticed some extra characters in the DN that 
> corresponds to "Search Base".  I got the Windows admin to share his 
> RDP session to the DC and had a look at the registry in 
> "HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync". I noticed the same 
> characters in the "Search Base" key.  I think the extra characters 
> were accidentally copy-pasted from the documentation I sent them.
>
> Removing them and restarting the service has resolved the problem.
>
>
> On Mon, Jun 20, 2016 at 3:49 PM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 06/18/2016 05:47 AM, Toby Gale wrote:
>>
>>     Hello,
>>
>>     After successfully adding a 'winsync' agreement and loading AD
>>     data into FreeIPA I am trying to configure the password sync
>>     software on the domain controllers.
>>
>>     I have installed the certificates and can successfully bind from
>>     the domain controller using ldp.exe and the
>>     'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user.
>>
>>     I have edited the registry to increase logging, by setting
>>     'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I
>>     am seeing the error:
>>
>>     06/17/16 08:47:32: Backoff time expired.  Attempting sync
>>     06/17/16 08:47:32: Password list has 1 entries
>>     06/17/16 08:47:32: Attempting to sync password for some.user
>>     06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)
>>     06/17/16 08:47:32: Ldap error in QueryUsername
>>     34: Invalid DN syntax
>>
>
>     Take a look at the 389/dirsrv access log on your linux host at
>     /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the
>     error corresponding to this - it should be at the same approximate
>     date/time (make sure you check your time zones) and the RESULT
>     line should have err=34
>
>>     06/17/16 08:47:32: Deferring password change for some.user
>>     06/17/16 08:47:32: Backing off for 1024000ms
>>
>>     When I run the query from the CLI, it is successful:
>>
>>     $ ldapsearch -x -h ldaps://localhost -p 636 -D
>>     'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w
>>     'password'  -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com'
>>     '(ntuserdomainid=some.user)'
>>
>>     Can anyone help me resolve this?
>>
>>     Thanks.
>>
>>
>>
>
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160621/222ffbed/attachment.htm>

More information about the Freeipa-users mailing list