<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 11/26/2013 04:16 AM, Emil Petersson wrote:
<blockquote cite="mid:529466D1.7020207@melt.se" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<div class="moz-cite-prefix">On 26/11/13 01:05, Rich Megginson
wrote:<br>
</div>
<blockquote cite="mid:5293E5B3.4020106@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 11/25/2013 04:57 PM, Rich
Megginson wrote:<br>
</div>
<blockquote cite="mid:5293E3F1.3010002@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 11/25/2013 11:51 AM, Emil
Petersson wrote:<br>
</div>
<blockquote
cite="mid:EDC9EBD9-3A79-478A-ACE5-20D493F21857@melt.se"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
On 25 Nov 2013, at 17:21, Rich Megginson <<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>
wrote:<br>
<div><br class="Apple-interchange-newline">
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"
style="font-family: Helvetica; font-size: 15px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows:
auto; word-spacing: 0px; -webkit-text-stroke-width:
0px;">
<div class="moz-cite-prefix">On 11/25/2013 08:14 AM,
Emil Petersson wrote:<br>
</div>
<blockquote cite="mid:5293694E.9060606@melt.se"
type="cite">Hi,<br>
<br>
I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing
some unexpected behaviour with winsync replication.<br>
<br>
1. I have a working winsync agreement, and users are
synced correctly.<br>
<br>
2. If a user already exists in in IPA when I sync it
from AD, I'm seeing the following in the dirsrv
error logs:<br>
<br>
[25/Nov/2013:14:29:03 +0000]
NSMMReplicationPlugin - windows_update_local_entry:
failed to modify entry
uid=username,cn=users,cn=accounts,dc=domain,dc=net -
error 21:Invalid syntax<br>
<br>
I assume this is because the user already exists
in dirsrv? Fine.<br>
</blockquote>
<br>
No. Error 21 is Invalid Syntax. This means the
format of the data in the attribute in AD is not
correct for the given syntax. For example, if the
syntax is Integer, this means the data should be a
valid integer. However, AD allows data that violates
LDAP syntax.<br>
<br>
Can you post the data from the AD entry that
corresponds to
uid=username,cn=users,cn=accounts,dc=domain,dc=net?
Please be sure to obscure any sensitive data. I'd
like to identify the data that is causing this
problem.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Certainly, here goes:</div>
<div><br>
</div>
<div>
<div>dn: CN=Firstname
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=</div>
<div> domain,DC=com</div>
<div>objectClass: top</div>
<div>objectClass: person</div>
<div>objectClass: organizationalPerson</div>
<div>objectClass: user</div>
<div>cn: Firstname Lastname</div>
<div>sn: Lastname</div>
<div>title: Sysadmin</div>
<div>description: Employee</div>
<div>physicalDeliveryOfficeName: XX-XX-XX</div>
<div>telephoneNumber: +00 00 000 0</div>
<div>facsimileTelephoneNumber: +00 00 000 0</div>
<div>givenName: Firstname</div>
<div>distinguishedName: CN=Firstname
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=O</div>
<div> rganization,DC=domain,DC=com</div>
<div>instanceType: 4</div>
<div>whenCreated: 20110321122858.0Z</div>
<div>whenChanged: 20131120104224.0Z</div>
<div>displayName: Firstname Lastname</div>
<div>uSNCreated: 76590</div>
<div> ngame,DC=com</div>
<div>memberOf:
CN=All,OU=OrgGroups,OU=Organization,DC=domain,DC=com</div>
<div>memberOf:
CN=sysadmins,OU=OrgGroups,OU=Organization,DC=domain,DC=com</div>
<div>uSNChanged: 66378160</div>
<div>department: Infrastructure</div>
<div>company: Company name</div>
<div>homeMTA: CN=Microsoft
MTA,CN=MBX,CN=Servers,CN=Exchange Administrative Group
(</div>
<div> FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=globalmail,CN=Microsoft Exchange</div>
<div> ,CN=Services,CN=Configuration,DC=domain,DC=com</div>
<div>proxyAddresses: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="SMTP:first.last@">SMTP:first.last@</a><a
moz-do-not-send="true" href="http://domain.com">domain.com</a></div>
<div>proxyAddresses: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="smtp:first.last@">smtp:first.last@</a><a
moz-do-not-send="true" href="http://domain2.com">domain2.com</a></div>
<div>proxyAddresses: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="smtp:first.last@">smtp:first.last@</a><a
moz-do-not-send="true" href="http://domain3.com">domain3.com</a></div>
<div>proxyAddresses: <a moz-do-not-send="true"
href="sip:first.last@domain.com">sip:first.last@domain.com</a></div>
<div>proxyAddresses: X400:C=SE;A=
;P=globalmail;O=Exchange;S=Lastname;G=Firstname;</div>
<div>homeMDB: CN=DB3,CN=SG03 -
2GB,CN=InformationStore,CN=MBX,CN=Servers,CN=Exchang</div>
<div> e Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=globalma</div>
<div> il,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com</div>
<div>garbageCollPeriod: 1209600</div>
<div>mDBUseDefaults: TRUE</div>
<div>extensionAttribute8: Companyname</div>
<div>mailNickname: username</div>
<div>protocolSettings:: SFRUUMKnMcKnMcKnwqfCp8KnwqfCpw==</div>
<div>protocolSettings:: T1dBwqcx</div>
<div>internetEncoding: 0</div>
<div>name: Firstnam Lastname</div>
<div>objectGUID:: pDdL7yY7gEuqRdQLTjLo0w==</div>
<div>userAccountControl: 512</div>
<div>badPwdCount: 0</div>
<div>codePage: 0</div>
<div>countryCode: 0</div>
<div>homeDirectory: <a moz-do-not-send="true"
href="smb://path/to/home">\\path\to\home</a></div>
<div>homeDrive: H:</div>
<div>badPasswordTime: 130295283826410995</div>
<div>lastLogoff: 0</div>
<div>lastLogon: 130297464093469882</div>
<div>pwdLastSet: 130294130189116476</div>
<div>primaryGroupID: 513</div>
<div>objectSid:: AQUAAAoiadjfojdfojsodijfQkAH5TsrAA==</div>
<div>accountExpires: 0</div>
<div>logonCount: 6909</div>
<div>sAMAccountName: username</div>
<div>sAMAccountType: 805306368</div>
<div>showInAddressBook: CN=Default Global Address
List,CN=All Global Address Lists,</div>
<div> CN=Address Lists
Container,CN=globalmail,CN=Microsoft
Exchange,CN=Services,CN</div>
<div> =Configuration,DC=domain,DC=com</div>
<div>showInAddressBook: CN=All Users,CN=All Address
Lists,CN=Address Lists Containe</div>
<div> r,CN=globalmail,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,</div>
<div> DC=com</div>
<div>legacyExchangeDN: /o=globalmail/ou=Exchange
Administrative Group (FYDIBOHF23SP</div>
<div> DLT)/cn=Recipients/cn=username</div>
<div>userPrincipalName: <a moz-do-not-send="true"
href="mailto:first@domain.com">first@domain.com</a></div>
<div>lockoutTime: 0</div>
<div>ipPhone: +00 00 00 00</div>
<div>objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com</div>
<div>dSCorePropagationData: 20131118102944.0Z</div>
<div>dSCorePropagationData: 20131118102934.0Z</div>
<div>dSCorePropagationData: 20130313150036.0Z</div>
<div>dSCorePropagationData: 20120821144903.0Z</div>
<div>dSCorePropagationData: 16010101181216.0Z</div>
<div>lastLogonTimestamp: 130294177442871790</div>
<div>textEncodedORAddress: c=XX;a=
;p=globalmail;o=Exchange;s=Lastname;g=Firstname;</div>
<div>mail: <a moz-do-not-send="true"
href="mailto:first.last@domain.com">first.last@domain.com</a></div>
<div>manager: CN=Manager
Name,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=o</div>
<div> ngame,DC=com</div>
<div>mobile:: KzQ2NzI3mjMEMTEwwqAJ</div>
</div>
</div>
</blockquote>
</blockquote>
<br>
I think this may be the problem. mobile contains non printable
characters:<br>
$ python<br>
>>> import base64<br>
>>> base64.b64decode('KzQ2NzI3mjMEMTEwwqAJ')<br>
'+46727\x9a3\x04110\xc2\xa0\t'<br>
<br>
Looks like the mobile phone number contains utf8 characters. It
must not:<br>
/* Per RFC4517:<br>
*<br>
* TelephoneNumber = PrintableString<br>
* PrintableString = 1*PrintableCharacter<br>
*/<br>
<br>
Unfortunately, AD syntax checking leaves a lot to be desired, so
it allows this and other bogus data. IPA/389 is much stricter.<br>
</blockquote>
Hey Rich,<br>
<br>
You are correct! <br>
<br>
All "mobile" entries in our AD is base64 encoded and ends with
"\xc2\xa0\t". Removing the junk characters from the mobile entry
makes the user sync correctly, regardless of if the user pre
exists or not. Issue solved, thanks alot for pointing this out!<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
Added a solved tag to subj.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>