<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Great! Glad you got that working.<br>
<br>
Next step is to use AD trust instead of sync . . .<br>
<br>
On 06/21/2016 12:58 AM, Toby Gale wrote:<br>
</div>
<blockquote
cite="mid:CAKCsbqBRVOUnBo_Hgczu4Fsv-1WFcuuQyBJbp=_bHcSk4AKSxQ@mail.gmail.com"
type="cite">
<div dir="ltr">Thanks for the help Rich.
<div><br>
</div>
<div>Looking at the log I noticed some extra characters in the
DN that corresponds to "Search Base". I got the Windows admin
to share his RDP session to the DC and had a look at the
registry in "<span style="color:black;font-family:"Segoe
UI",sans-serif;font-size:10pt">HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync".
I noticed the same characters in the "Search Base" key. I
think the extra characters were accidentally copy-pasted
from the documentation I sent them.</span></div>
<div><span style="color:black;font-family:"Segoe
UI",sans-serif;font-size:10pt"><br>
</span></div>
<div><span style="color:black;font-family:"Segoe
UI",sans-serif;font-size:10pt">Removing them and
restarting the service has resolved the problem.</span></div>
<div><span style="color:black;font-family:"Segoe
UI",sans-serif;font-size:10pt"><br>
</span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Jun 20, 2016 at 3:49 PM, Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 06/18/2016 05:47 AM, Toby Gale wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">Hello,</p>
<p dir="ltr">After successfully adding a 'winsync'
agreement and loading AD data into FreeIPA I am
trying to configure the password sync software on
the domain controllers.</p>
<p dir="ltr">I have installed the certificates and can
successfully bind from the domain controller using
ldp.exe and the
'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com'
user.</p>
<p dir="ltr">I have edited the registry to increase
logging, by setting
'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level'
to '1' and I am seeing the error:</p>
<p dir="ltr"><font color="#000000">06/17/16 08:47:32:
Backoff time expired. Attempting sync</font><br>
<font color="#000000">06/17/16 08:47:32: Password
list has 1 entries</font><br>
<font color="#000000">06/17/16 08:47:32: Attempting
to sync password for some.user</font><br>
<font color="#000000">06/17/16 08:47:32: Searching
for (ntuserdomainid=some.user)</font><br>
<font color="#000000">06/17/16 08:47:32: Ldap error
in QueryUsername</font><br>
<font color="#000000"> 34: Invalid DN syntax</font><br>
</p>
</blockquote>
<br>
</span> Take a look at the 389/dirsrv access log on your
linux host at /var/log/dirsrv/slapd-HOSTNAME/access - see
if you can find the error corresponding to this - it
should be at the same approximate date/time (make sure you
check your time zones) and the RESULT line should have
err=34<span class=""><br>
<br>
<blockquote type="cite">
<p dir="ltr"> <font color="#000000">06/17/16
08:47:32: Deferring password change for some.user</font><br>
<font color="#000000">06/17/16 08:47:32: Backing off
for 1024000ms</font><br>
</p>
<p dir="ltr"><font color="#000000">When I run the
query from the CLI, it is successful:</font><br>
</p>
<p dir="ltr"><font color="#000000">$ ldapsearch -x -h
<a moz-do-not-send="true">ldaps://localhost</a> -p
636 -D
'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com'
-w 'password' -b
'cn=users,cn=accounts,dc=my,dc=domain,dc=com'
'(ntuserdomainid=some.user)'</font></p>
<p dir="ltr"><font color="#000000">Can anyone help me
resolve this?</font></p>
<p dir="ltr"><font color="#000000">Thanks.</font></p>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<p><br>
</p>
</span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true" href="http://freeipa.org"
rel="noreferrer" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<p><br>
</p>
</body>
</html>