<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 06/18/2016 05:47 AM, Toby Gale wrote: </div> <blockquote cite="mid:CAKCsbqCAdLbYmZYVn-zenLq50yn_YZppfATwooD7DpW6wtkW5A@mail.gmail.com" type="cite"> Hello, After successfully adding a 'winsync' agreement and loading AD data into FreeIPA I am trying to configure the password sync software on the domain controllers. I have installed the certificates and can successfully bind from the domain controller using ldp.exe and the 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user. I have edited the registry to increase logging, by setting 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing the error: 06/17/16 08:47:32: Backoff time expired. Attempting sync 06/17/16 08:47:32: Password list has 1 entries 06/17/16 08:47:32: Attempting to sync password for some.user 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user) 06/17/16 08:47:32: Ldap error in QueryUsername 34: Invalid DN syntax </blockquote> Take a look at the 389/dirsrv access log on your linux host at /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error corresponding to this - it should be at the same approximate date/time (make sure you check your time zones) and the RESULT line should have err=34 <blockquote cite="mid:CAKCsbqCAdLbYmZYVn-zenLq50yn_YZppfATwooD7DpW6wtkW5A@mail.gmail.com" type="cite"> 06/17/16 08:47:32: Deferring password change for some.user 06/17/16 08:47:32: Backing off for 1024000ms When I run the query from the CLI, it is successful: $ ldapsearch -x -h <a class="moz-txt-link-freetext" href="ldaps://localhost">ldaps://localhost</a> -p 636 -D 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' '(ntuserdomainid=some.user)' Can anyone help me resolve this? Thanks. <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body> </html>