<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 26/11/13 01:05, Rich Megginson
wrote:<br>
</div>
<blockquote cite="mid:5293E5B3.4020106@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 11/25/2013 04:57 PM, Rich
Megginson wrote:<br>
</div>
<blockquote cite="mid:5293E3F1.3010002@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 11/25/2013 11:51 AM, Emil
Petersson wrote:<br>
</div>
<blockquote
cite="mid:EDC9EBD9-3A79-478A-ACE5-20D493F21857@melt.se"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
On 25 Nov 2013, at 17:21, Rich Megginson <<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>
wrote:<br>
<div><br class="Apple-interchange-newline">
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000" style="font-family:
Helvetica; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<div class="moz-cite-prefix">On 11/25/2013 08:14 AM,
Emil Petersson wrote:<br>
</div>
<blockquote cite="mid:5293694E.9060606@melt.se"
type="cite">Hi,<br>
<br>
I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some
unexpected behaviour with winsync replication.<br>
<br>
1. I have a working winsync agreement, and users are
synced correctly.<br>
<br>
2. If a user already exists in in IPA when I sync it
from AD, I'm seeing the following in the dirsrv error
logs:<br>
<br>
[25/Nov/2013:14:29:03 +0000] NSMMReplicationPlugin
- windows_update_local_entry: failed to modify entry
uid=username,cn=users,cn=accounts,dc=domain,dc=net -
error 21:Invalid syntax<br>
<br>
I assume this is because the user already exists
in dirsrv? Fine.<br>
</blockquote>
<br>
No. Error 21 is Invalid Syntax. This means the format
of the data in the attribute in AD is not correct for
the given syntax. For example, if the syntax is
Integer, this means the data should be a valid integer.
However, AD allows data that violates LDAP syntax.<br>
<br>
Can you post the data from the AD entry that corresponds
to uid=username,cn=users,cn=accounts,dc=domain,dc=net?
Please be sure to obscure any sensitive data. I'd like
to identify the data that is causing this problem.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Certainly, here goes:</div>
<div><br>
</div>
<div>
<div>dn: CN=Firstname
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=</div>
<div> domain,DC=com</div>
<div>objectClass: top</div>
<div>objectClass: person</div>
<div>objectClass: organizationalPerson</div>
<div>objectClass: user</div>
<div>cn: Firstname Lastname</div>
<div>sn: Lastname</div>
<div>title: Sysadmin</div>
<div>description: Employee</div>
<div>physicalDeliveryOfficeName: XX-XX-XX</div>
<div>telephoneNumber: +00 00 000 0</div>
<div>facsimileTelephoneNumber: +00 00 000 0</div>
<div>givenName: Firstname</div>
<div>distinguishedName: CN=Firstname
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=O</div>
<div> rganization,DC=domain,DC=com</div>
<div>instanceType: 4</div>
<div>whenCreated: 20110321122858.0Z</div>
<div>whenChanged: 20131120104224.0Z</div>
<div>displayName: Firstname Lastname</div>
<div>uSNCreated: 76590</div>
<div> ngame,DC=com</div>
<div>memberOf:
CN=All,OU=OrgGroups,OU=Organization,DC=domain,DC=com</div>
<div>memberOf:
CN=sysadmins,OU=OrgGroups,OU=Organization,DC=domain,DC=com</div>
<div>uSNChanged: 66378160</div>
<div>department: Infrastructure</div>
<div>company: Company name</div>
<div>homeMTA: CN=Microsoft
MTA,CN=MBX,CN=Servers,CN=Exchange Administrative Group (</div>
<div> FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=globalmail,CN=Microsoft Exchange</div>
<div> ,CN=Services,CN=Configuration,DC=domain,DC=com</div>
<div>proxyAddresses: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="SMTP:first.last@">SMTP:first.last@</a><a
moz-do-not-send="true" href="http://domain.com">domain.com</a></div>
<div>proxyAddresses: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="smtp:first.last@">smtp:first.last@</a><a
moz-do-not-send="true" href="http://domain2.com">domain2.com</a></div>
<div>proxyAddresses: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="smtp:first.last@">smtp:first.last@</a><a
moz-do-not-send="true" href="http://domain3.com">domain3.com</a></div>
<div>proxyAddresses: <a moz-do-not-send="true"
href="sip:first.last@domain.com">sip:first.last@domain.com</a></div>
<div>proxyAddresses: X400:C=SE;A=
;P=globalmail;O=Exchange;S=Lastname;G=Firstname;</div>
<div>homeMDB: CN=DB3,CN=SG03 -
2GB,CN=InformationStore,CN=MBX,CN=Servers,CN=Exchang</div>
<div> e Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=globalma</div>
<div> il,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com</div>
<div>garbageCollPeriod: 1209600</div>
<div>mDBUseDefaults: TRUE</div>
<div>extensionAttribute8: Companyname</div>
<div>mailNickname: username</div>
<div>protocolSettings:: SFRUUMKnMcKnMcKnwqfCp8KnwqfCpw==</div>
<div>protocolSettings:: T1dBwqcx</div>
<div>internetEncoding: 0</div>
<div>name: Firstnam Lastname</div>
<div>objectGUID:: pDdL7yY7gEuqRdQLTjLo0w==</div>
<div>userAccountControl: 512</div>
<div>badPwdCount: 0</div>
<div>codePage: 0</div>
<div>countryCode: 0</div>
<div>homeDirectory: <a moz-do-not-send="true"
href="smb://path/to/home">\\path\to\home</a></div>
<div>homeDrive: H:</div>
<div>badPasswordTime: 130295283826410995</div>
<div>lastLogoff: 0</div>
<div>lastLogon: 130297464093469882</div>
<div>pwdLastSet: 130294130189116476</div>
<div>primaryGroupID: 513</div>
<div>objectSid:: AQUAAAoiadjfojdfojsodijfQkAH5TsrAA==</div>
<div>accountExpires: 0</div>
<div>logonCount: 6909</div>
<div>sAMAccountName: username</div>
<div>sAMAccountType: 805306368</div>
<div>showInAddressBook: CN=Default Global Address
List,CN=All Global Address Lists,</div>
<div> CN=Address Lists
Container,CN=globalmail,CN=Microsoft
Exchange,CN=Services,CN</div>
<div> =Configuration,DC=domain,DC=com</div>
<div>showInAddressBook: CN=All Users,CN=All Address
Lists,CN=Address Lists Containe</div>
<div> r,CN=globalmail,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,</div>
<div> DC=com</div>
<div>legacyExchangeDN: /o=globalmail/ou=Exchange
Administrative Group (FYDIBOHF23SP</div>
<div> DLT)/cn=Recipients/cn=username</div>
<div>userPrincipalName: <a moz-do-not-send="true"
href="mailto:first@domain.com">first@domain.com</a></div>
<div>lockoutTime: 0</div>
<div>ipPhone: +00 00 00 00</div>
<div>objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com</div>
<div>dSCorePropagationData: 20131118102944.0Z</div>
<div>dSCorePropagationData: 20131118102934.0Z</div>
<div>dSCorePropagationData: 20130313150036.0Z</div>
<div>dSCorePropagationData: 20120821144903.0Z</div>
<div>dSCorePropagationData: 16010101181216.0Z</div>
<div>lastLogonTimestamp: 130294177442871790</div>
<div>textEncodedORAddress: c=XX;a=
;p=globalmail;o=Exchange;s=Lastname;g=Firstname;</div>
<div>mail: <a moz-do-not-send="true"
href="mailto:first.last@domain.com">first.last@domain.com</a></div>
<div>manager: CN=Manager
Name,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=o</div>
<div> ngame,DC=com</div>
<div>mobile:: KzQ2NzI3mjMEMTEwwqAJ</div>
</div>
</div>
</blockquote>
</blockquote>
<br>
I think this may be the problem. mobile contains non printable
characters:<br>
$ python<br>
>>> import base64<br>
>>> base64.b64decode('KzQ2NzI3mjMEMTEwwqAJ')<br>
'+46727\x9a3\x04110\xc2\xa0\t'<br>
<br>
Looks like the mobile phone number contains utf8 characters. It
must not:<br>
/* Per RFC4517:<br>
*<br>
* TelephoneNumber = PrintableString<br>
* PrintableString = 1*PrintableCharacter<br>
*/<br>
<br>
Unfortunately, AD syntax checking leaves a lot to be desired, so
it allows this and other bogus data. IPA/389 is much stricter.<br>
</blockquote>
Hey Rich,<br>
<br>
You are correct! <br>
<br>
All "mobile" entries in our AD is base64 encoded and ends with
"\xc2\xa0\t". Removing the junk characters from the mobile entry
makes the user sync correctly, regardless of if the user pre exists
or not. Issue solved, thanks alot for pointing this out!<br>
</body>
</html>