<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/04/2014 01:48 PM, Todd Maugh
wrote:<br>
</div>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226C931@EXCHMB1-ELS.BWINC.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">but what about the "cant contact LDAP
server in the passsync log"<br>
</div>
</blockquote>
<br>
> LDAP bind error in connect<br>
> 81: Can't Contact LDAP Server<br>
<br>
That means<br>
1) ipa ldap server is down<br>
2) some sort of network problem<br>
3) incorrect host/port specified in passsync config<br>
4) host specified in passsync config is not the FQDN, or the FQDN
doesn't resolve both forward and reverse from the windows box<br>
5) host specified in the passsync config does not match the ipa ldap
server certificate subject dn<br>
6) incorrect CA cert installed in passsync cert db<br>
<br>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226C931@EXCHMB1-ELS.BWINC.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<br>
and are you saying I should try to change one of the passwords
in AD for it to go to IDM, or vice versa?<br>
</div>
</blockquote>
<br>
In order for AD to send a password, you have to change a password in
AD. When I said "This is one of the (many) problems with passsync",
I meant that passsync will not sync existing passwords from AD to
IdM. Passsync requires an AD password change operation in order to
sync a password. If you were expecting that your existing AD
passwords would just suddenly work in IdM, without having all of
your AD users change their passwords, that's not how passsync
works. There is no way to do that. This is but one of the reasons
why the AD/IdM cross domain trust solution is preferred.<br>
<br>
When I said "This is one of the (many) problems with passsync", I
most certainly did not mean that "LDAP bind error in connect<br>
> 81: Can't Contact LDAP Server" is one of the many problems.
It is almost always a configuration issue.<br>
<br>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226C931@EXCHMB1-ELS.BWINC.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<br>
thanks<br>
<br>
<br>
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF189373"><font
color="#000000" face="Tahoma" size="2"><b>From:</b> Rich
Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Tuesday, February 04, 2014 12:45 PM<br>
<b>To:</b> Todd Maugh; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: Creating password sync<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">On 02/04/2014 01:42 PM, Todd
Maugh wrote:<br>
</div>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">I have not changed any
passwords in AD yet.<br>
</div>
</blockquote>
<br>
Then passsync will not have sent anything.<br>
<br>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt"><br>
and the users I have in IDM from AD, their passwords
are not working<br>
</div>
</blockquote>
<br>
Right. This is one of the (many) problems with the passsync
approach - there currently is no way to populate the initial
passwords - that is, passsync/IdM cannot copy your passwords
over from AD to IdM.<br>
<br>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt"><br>
<br>
<div style="font-family:Times New Roman; color:#000000;
font-size:16px">
<hr tabindex="-1">
<div id="divRpF355147" style="direction:ltr"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
Rich Megginson [<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Tuesday, February 04, 2014 12:40 PM<br>
<b>To:</b> Todd Maugh; <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dpal@redhat.com" target="_blank">
dpal@redhat.com</a><br>
<b>Cc:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: Creating password sync<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">On 02/04/2014 01:20 PM,
Todd Maugh wrote:<br>
</div>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">my passhook.log
file is empty<br>
</div>
</blockquote>
<br>
Have you changed any passwords in AD?<br>
<br>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">
<div style="font-family:Times New Roman;
color:#000000; font-size:16px">
<hr tabindex="-1">
<div id="divRpF268312" style="direction:ltr"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com"
target="_blank">
freeipa-users-bounces@redhat.com</a> [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com"
target="_blank">freeipa-users-bounces@redhat.com</a>]
on behalf of Todd Maugh [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tmaugh@boingo.com"
target="_blank">tmaugh@boingo.com</a>]<br>
<b>Sent:</b> Tuesday, February 04, 2014
11:56 AM<br>
<b>To:</b> Rich Megginson; <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dpal@redhat.com"
target="_blank">
dpal@redhat.com</a><br>
<b>Cc:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users]
Creating password sync<br>
</font><br>
</div>
<div>
<div style="direction:ltr;
font-family:Tahoma; color:#000000;
font-size:10pt">Im seeing these errors in
the passsync.log<br>
<br>
<span dir="ltr">
<div>32: No such object</div>
<div>02/03/14 16:23:40: Ldap error in
QueryUsername</div>
<div>32: No such object</div>
<div>02/03/14 16:57:48: Abandoning
password change for scottb, backoff
expired</div>
<div>02/03/14 16:57:48: Ldap bind error
in Connect</div>
<div>32: No such object</div>
<div>02/03/14 16:57:48: Ldap error in
QueryUsername</div>
<div>32: No such object</div>
<div>02/03/14 18:06:04: Abandoning
password change for scottb, backoff
expired</div>
<div>02/03/14 18:06:04: Ldap bind error
in Connect</div>
<div>32: No such object</div>
<div>02/04/14 10:24:59: PassSync service
initialized</div>
<div>02/04/14 10:24:59: PassSync service
running</div>
<div>02/04/14 10:25:00: Ldap bind error
in Connect</div>
<div>32: No such object</div>
<div>02/04/14 10:58:37: Ldap bind error
in Connect</div>
<div>32: No such object</div>
<div>02/04/14 10:58:37: PassSync service
stopped</div>
<div>02/04/14 10:58:38: PassSync service
initialized</div>
<div>02/04/14 10:58:38: PassSync service
running</div>
<div>02/04/14 10:58:39: Ldap bind error
in Connect</div>
<div>32: No such object</div>
<div><br>
<br>
</div>
</span><br>
<div style="font-family:Times New Roman;
color:#000000; font-size:16px">
<hr tabindex="-1">
<div id="divRpF24542"
style="direction:ltr"><font
color="#000000" face="Tahoma"
size="2"><b>From:</b> Rich Megginson
[<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Tuesday, February 04,
2014 9:19 AM<br>
<b>To:</b> Todd Maugh; <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dpal@redhat.com"
target="_blank">
dpal@redhat.com</a><br>
<b>Cc:</b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: Creating
password sync<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">On
02/04/2014 10:17 AM, Todd Maugh
wrote:<br>
</div>
<blockquote type="cite">
<style id="owaParaStyle" type="text/css">
<!--
p
{margin-top:0;
margin-bottom:0}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
-->
BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style>
<div style="direction:ltr;
font-family:Tahoma; color:#000000;
font-size:10pt">also I have
verified the password
synchronization service is started
and running on the windows 2008 R2
server<br>
<br>
<br>
but I cant tell if or what it is
doing because iM not getting
passwords to my IDM<br>
</div>
</blockquote>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging"
target="_blank">http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging</a><br>
<br>
You can also look at the 389 access
log to see if you have connections
from the windows box.<br>
<br>
<blockquote type="cite">
<div style="direction:ltr;
font-family:Tahoma; color:#000000;
font-size:10pt">
<div style="font-family:Times New
Roman; color:#000000;
font-size:16px">
<hr tabindex="-1">
<div id="divRpF273180"
style="direction:ltr"><font
color="#000000"
face="Tahoma" size="2"><b>From:</b>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com" target="_blank">
freeipa-users-bounces@redhat.com</a> [<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>]
on behalf of Todd Maugh [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tmaugh@boingo.com" target="_blank">tmaugh@boingo.com</a>]<br>
<b>Sent:</b> Tuesday,
February 04, 2014 9:04 AM<br>
<b>To:</b> Rich Megginson; <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dpal@redhat.com" target="_blank">
dpal@redhat.com</a><br>
<b>Cc:</b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com" target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b>
[Freeipa-users] Creating
password sync<br>
</font><br>
</div>
<div>
<div style="direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt">Ok, So I
have my replication
agreement set up.<br>
<br>
and I see accounts coming in
to my IDM server from AD<br>
<br>
I have followed this guide
from redhat <br>
<br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html"
target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html</a><br>
<br>
to set up my password sync.
<br>
<br>
I get no errors<br>
<br>
but my passwords are not
syncing!<br>
<br>
Help! the documentation
tells o fno way to verify or
trouble shoot<br>
<br>
<br>
Thank You<br>
<br>
-Todd Maugh<br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tmaugh@boingo.com" target="_blank">tmaugh@boingo.com</a><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>