> On 27 Aug 2019, at 10:44, DaV <snow...@gmail.com> wrote: > > Thanks for your reply. > This is my configuration on 389ds server. > Please tell me if the attribute of "oneWaySync: fromWindows" is correct. > > Now, the new users in AD can't be synced to 389ds every 5 minutes, I have to > click "Initiate full Re-synchronized" manually. I'm stuck for days.
I think they are *not* syncing because your schedule is: >> >> nsDS5ReplicaUpdateSchedule: 1200-1210 4 >> >> nsDS5ReplicaUpdateSchedule: 1211-1220 4 >> This translates to "between 12:00 and 12:10 on thursday" and "between 12:11 and 12:20 on thursday.". IE you are syncing for a 10 minute window once a week, rather than every five minutes all the time. You probably want something more like: nsDS5ReplicaUpdateSchedule : 0000-2359 0123456 If you want to sync all the time. I think I'm a bit confused about the "bigger picture" of what you are trying to achieve here. Can you please describe: * Your servers (AD, ldap etc) * How you want the data to flow * When you want the data to flow Just describe, we don't need to see configs. I think that is really going to help us think through answers to your questions. > > Sincerely, > -- > DaV > > > > > On Tue, Aug 27, 2019, at 02:18, Mark Reynolds wrote: >> >> >> On 8/23/19 5:38 AM, DaV wrote: >>> Hi all, >>> For OneWaySync, AD to 389ds. >>> >>> I have read this guide >>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/using_windows_sync-modifying_the_sync_agreement >>> >>>> Synchronization works two ways. The Directory Server sends its updates to >>>> Active Directory on a configurable schedule, similar to replication, using >>>> the nsds5replicaupdatescheduleattribute. The Directory Server polls the >>>> Active Directory to check for changes; the frequency that it checks the >>>> Active Directory server is set in the winSyncInterval attribute. >>>> By default, the Directory Server update schedule is to always be in sync. >>>> The Active Directory interval is to poll the Active Directory every five >>>> minutes. >>>> To change the schedule the Directory Server uses to send its updates to >>>> the Active Directory, edit the nsds5replicaupdateschedule attribute. The >>>> schedule is set with start (SSSS) and end (EEEE) times in the form HHMM, >>>> using a 24-hour clock. The days to schedule sync updates are use ranging >>>> from 0 (Sunday) to 6 (Saturday). >>> >>> I want to know how to disable the nsds5replicaupdateschedule attribute. >>> Because I just want sync from AD to 389ds. >> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#Replication_Attributes_under_cnReplicationAgreementName_cnreplica_cnsuffixName_cnmapping_tree_cnconfig-nsDS5ReplicaUpdateSchedule >> >> You can set it to "0000-0001 0" to disable synchronizing according to the >> link above >> >> >> >>> Thanks in advance! >>> >>> Sincerely, >>> -- >>> DaV >>> >>> On Fri, Aug 23, 2019, at 08:18, DaV wrote: >>> > Hi William, >>> > Thanks for your reply. >>> > >>> > Sorry for incorrect message yesterday. >>> > My windows sync agreement exactly is: >>> > >>> > agreement1: >>> > >> DS Host: 389ds:389 >>> > > >> Windows Host: dc01.example.com:389 >>> > > >> DS Subtree: ou=Users,dc=example,dc=com >>> > > >> Windows Subtree: ou=ou1,OU=Accounts, DC=example,DC=com >>> > > >> Replicated subtree: dc=example,dc=com >>> > >>> > agreement2: >>> > >> DS Host: 389ds:389 >>> > > >> Windows Host: dc01.example.com:389 >>> > > >> DS Subtree: ou=Users,dc=example,dc=com >>> > > >> Windows Subtree: ou=ou2,OU=Accounts, DC=example,DC=com >>> > > >> Replicated subtree: dc=example,dc=com >>> > >>> > >>> > The windows AD has two OUs, and I want the two OUs are synced to the >>> > same ou(ou=users,dc=example,dc=com) in 389ds server. >>> > Maybe you would say I can create two same OUs in 389ds first and then >>> > create the sync agreement. But I don't want this because I want all >>> > accounts under the same ou in 389ds(no sub-ou). >>> > >>> > >>> > I have another question about this issue. >>> > After the two sync agreements created, I create a new user on AD side, >>> > after 5 minutes(default), nothing happens, the account hasn't been >>> > synced to 389ds correctly. I must click the "Initiate full >>> > Re-syncronization" to sync the account info, and then change account >>> > password on AD side manually so that the passsync can sync the >>> > password. >>> > >>> > >My concern is moving an account from ou1 to ou2 and how >>> > > that would work (or break). >>> > Because the digestion is same OU in 389ds, so move an account from ou1 >>> > to ou2 on AD side, nothing happens . >>> > >>> > >>> > Another issue is : >>> > OnewaySync >>> > I want all data flow is AD to 389ds. >>> > I have configured the OnewaySync followed this link >>> > https://directory.fedoraproject.org/docs/389ds/howto/howto-one-way-active-directory-sync.html >>> > for every sync agreement, I add one line >>> > oneWaySync: fromWindows >>> > >>> > >>> > The error message /var/log/dirsrv/slapd-INSTANCE/errors like this: >>> > [23/Aug/2019:08:14:58.033989856 +0800] - WARN - NSMMReplicationPlugin - >>> > windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389): >>> > Replica has no update vector. It has never been initialized. >>> > [23/Aug/2019:08:15:01.071494645 +0800] - WARN - NSMMReplicationPlugin - >>> > windows sync - windows_inc_run - agmt="cn=others" (tc-dc-2:389): >>> > Replica has no update vector. It has never been initialized. >>> > >>> > I don't want the sync agreement to be bi-directional. So how to resolve >>> > this error message. >>> > Thanks in advance! >>> > >>> > >>> > Sincerely, >>> > -- >>> > DaV >>> > >>> > On Fri, Aug 23, 2019, at 07:38, William Brown wrote: >>> > > >>> > > >>> > > > On 21 Aug 2019, at 22:10, DaV <snow...@gmail.com> wrote: >>> > > > >>> > > > Hi guys, >>> > > > Just update for this issue. >>> > > > >>> > > > Finally, I create multi windows sync agreement for each OU to sync >>> > > > the user account. >>> > > > like this: >>> > > > >>> > > >> DS Host: 389ds:389 >>> > > >> Windows Host: dc01.example.com:389 >>> > > >> DS Subtree: ou=ou1,ou=Users,dc=example,dc=com >>> > > >> Windows Subtree: OU=Accounts, DC=example,DC=com >>> > > >> Replicated subtree: dc=example,dc=com >>> > > > >>> > > >> DS Host: 389ds:389 >>> > > >> Windows Host: dc01.example.com:389 >>> > > >> DS Subtree: ou=ou2,ou=Users,dc=example,dc=com >>> > > >> Windows Subtree: OU=Accounts, DC=example,DC=com >>> > > >> Replicated subtree: dc=example,dc=com >>> > > > So the user account sync is done. >>> > > > >>> > > > For password sync, now I can't sync user's password with an " >>> > > > Initiate full Re-syncronization". I must reset all users one-by-one >>> > > > on AD server to sync the password. This is not convenient. >>> > > > >>> > > > Do you have any advice? >>> > > > >>> > > >>> > > I think Mark is the person who knows the most about this. I agree your >>> > > solution isn't really optimal here so I totally get you wanting to >>> > > improve this. My concern is moving an account from ou1 to ou2 and how >>> > > that would work (or break). >>> > > >>> > > >>> > > >>> > > >>> > > > >>> > > > This is the log info: >>> > > >> [21/Aug/2019:08:56:57.876105371 +0800] - ERR - NSMMReplicationPlugin >>> > > >> - windows sync - windows_tot_run - Beginning total update of replica >>> > > >> "agmt="cn=chuxun" (tc-dc-2:389)". >>> > > >> [21/Aug/2019:08:56:58.546297794 +0800] - ERR - NSMMReplicationPlugin >>> > > >> - windows sync - windows_process_total_add - agmt="cn=chuxun" >>> > > >> (tc-dc-2:389) - Cannot replay add operation. >>> > > >> [21/Aug/2019:08:56:58.575112136 +0800] - ERR - NSMMReplicationPlugin >>> > > >> - windows sync - bind_and_check_pwp - agmt="cn=chuxun" >>> > > >> (tc-dc-2:389): Replication bind with SIMPLE auth resumed >>> > > >> [21/Aug/2019:08:56:58.577280706 +0800] - WARN - >>> > > >> NSMMReplicationPlugin - windows sync - windows_inc_run - >>> > > >> agmt="cn=chuxun" (tc-dc-2:389): Replica has no update vector. It has >>> > > >> never been initialized. >>> > > >> [21/Aug/2019:08:56:58.579569199 +0800] - WARN - >>> > > >> NSMMReplicationPlugin - windows sync - windows_inc_run - >>> > > >> agmt="cn=chuxun" (tc-dc-2:389): Replica has no update vector. It has >>> > > >> never been initialized. >>> > > >> [21/Aug/2019:08:56:59.581808252 +0800] - WARN - >>> > > >> NSMMReplicationPlugin - windows sync - windows_inc_run - >>> > > >> agmt="cn=wangxun" (tc-dc-2:389): Replica has no update vector. It >>> > > >> has never been initialized. >>> > > > >>> > > > Sincerely, >>> > > > -- >>> > > > DaV >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > On Tue, Aug 20, 2019, at 09:28, DaV wrote: >>> > > >> Hi all, >>> > > >> I'm using a new 389 directory server on CentOS 7.6 with >>> > > >> 389-ds-base.x86_64 (1.3.8.4-15.el7), and I want to sync user and >>> > > >> password from Windows 2016 to 389ds one way. >>> > > >> The Synchronization Agreement like this: >>> > > >> DS Host: 389ds:389 >>> > > >> Windows Host: dc01.example.com:389 >>> > > >> DS Subtree: ou=Users,dc=example,dc=com >>> > > >> Windows Subtree: OU=Accounts, DC=example,DC=com >>> > > >> Replicated subtree: dc=example,dc=com >>> > > >> >>> > > >> Here is my question: >>> > > >> The sync agreement can only sync top-level OU=Accounts, DC=example, >>> > > >> DC=com from Win2016 to 389ds server. >>> > > >> In fact, I have >>> > > >> ou=ou1,ou=accounts,dc=example,dc=com >>> > > >> ou=ou2,ou=accounts,dc=example,dc=com >>> > > >> on Win2016 server. >>> > > >> I want the sync agreement can sync not only the top-level but also >>> > > >> the child ou. >>> > > >> >>> > > >> This is the error log for your reference. Thanks! >>> > > >>> [20/Aug/2019:07:58:40.307031692 +0800] - ERR - >>> > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning >>> > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)". >>> > > >>> [20/Aug/2019:07:58:40.309113230 +0800] - INFO - slapd_daemon - >>> > > >>> slapd started. Listening on All Interfaces port 389 for LDAP >>> > > >>> requests >>> > > >>> [20/Aug/2019:08:34:21.730939271 +0800] - WARN - >>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run - >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has >>> > > >>> never been initialized. >>> > > >>> [20/Aug/2019:08:34:21.733526550 +0800] - WARN - >>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run - >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has >>> > > >>> never been initialized. >>> > > >>> [20/Aug/2019:08:34:24.735819391 +0800] - WARN - >>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run - >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has >>> > > >>> never been initialized. >>> > > >>> [20/Aug/2019:08:34:27.738228528 +0800] - WARN - >>> > > >>> NSMMReplicationPlugin - windows sync - windows_inc_run - >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replica has no update vector. It has >>> > > >>> never been initialized. >>> > > >>> [20/Aug/2019:08:34:30.873896680 +0800] - ERR - >>> > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning >>> > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)". >>> > > >>> [20/Aug/2019:08:34:33.170822223 +0800] - ERR - >>> > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Finished >>> > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 >>> > > >>> entries. >>> > > >>> [20/Aug/2019:08:34:33.186359842 +0800] - ERR - >>> > > >>> NSMMReplicationPlugin - windows sync - bind_and_check_pwp - >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth >>> > > >>> resumed >>> > > >>> [20/Aug/2019:08:47:30.032935119 +0800] - ERR - >>> > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Beginning >>> > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)". >>> > > >>> [20/Aug/2019:08:47:31.035850854 +0800] - ERR - >>> > > >>> NSMMReplicationPlugin - windows sync - windows_tot_run - Finished >>> > > >>> total update of replica "agmt="cn=389ds" (tc-dc-2:389)". Sent 5 >>> > > >>> entries. >>> > > >>> [20/Aug/2019:08:47:31.051614890 +0800] - ERR - >>> > > >>> NSMMReplicationPlugin - windows sync - bind_and_check_pwp - >>> > > >>> agmt="cn=389ds" (tc-dc-2:389): Replication bind with SIMPLE auth >>> > > >>> resumed >>> > > >>> [20/Aug/2019:08:50:59.533268105 +0800] - WARN - >>> > > >>> NSMMReplicationPlugin - prot_stop - Incremental protocol for >>> > > >>> replica "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly. >>> > > >>> [20/Aug/2019:09:01:00.155477769 +0800] - WARN - >>> > > >>> NSMMReplicationPlugin - prot_stop - Total protocol for replica >>> > > >>> "agmt="cn=389ds" (tc-dc-2:389)" did not shut down properly. >>> > > >> >>> > > >> >>> > > >> Sincerely, >>> > > >> -- >>> > > >> DaV >>> > > >> >>> > > >> >>> > > >> >>> > > > >>> > > > _______________________________________________ >>> > > > 389-users mailing list -- 389-users@lists.fedoraproject.org >>> > > > To unsubscribe send an email to >>> > > > 389-users-le...@lists.fedoraproject.org >>> > > > Fedora Code of Conduct: >>> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> > > > List Guidelines: >>> > > > https://fedoraproject.org/wiki/Mailing_list_guidelines >>> > > > List Archives: >>> > > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>> > > >>> > > — >>> > > Sincerely, >>> > > >>> > > William Brown >>> > > >>> > > Senior Software Engineer, 389 Directory Server >>> > > SUSE Labs >>> > > _______________________________________________ >>> > > 389-users mailing list -- 389-users@lists.fedoraproject.org >>> > > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >>> > > Fedora Code of Conduct: >>> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> > > List Archives: >>> > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>> > > >>> > _______________________________________________ >>> > 389-users mailing list -- 389-users@lists.fedoraproject.org >>> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >>> > Fedora Code of Conduct: >>> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> > List Archives: >>> > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>> > >>> >>> _______________________________________________ >>> 389-users mailing list -- >>> 389-users@lists.fedoraproject.org >>> >>> To unsubscribe send an email to >>> 389-users-le...@lists.fedoraproject.org >>> >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> >>> List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>> >> -- >> >> 389 Directory Server Development Team >> — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org