William, Yes, *other* attributes are replicated to AD normally (in all versions that I tested).
Thanks. On Wed, Jan 29, 2020 at 8:16 PM William Brown <wbr...@suse.de> wrote: > > > > On 30 Jan 2020, at 08:04, Alberto Viana <alberto...@gmail.com> wrote: > > > > Mark > > > > Again (my bad on copy and paste): > > > > dn: cn=AD-DF-DC01,cn=replica,cn=dc\3Dmy\2Cdc\3Ddomain,cn=mapping > tree,cn=config > > objectClass: top > > objectClass: nsDSWindowsReplicationAgreement > > cn: AD-DF-DC01 > > nsDS5ReplicaRoot: dc=my,dc=domain > > description: AD-DF-DC01 > > nsDS5ReplicaHost: gti-df-dc01.domain.local > > nsDS5ReplicaPort: 636 > > nsDS5ReplicaTransportInfo: LDAPS > > nsDS5ReplicaBindDN: CN=Conta de sincronizacao do AD com LDAP > 389,OU=APLICACOES,dc=my,dc=domain > > nsds7WindowsReplicaSubtree: dc=my,dc=domain > > nsds7DirectoryReplicaSubtree: dc=my,dc=domain > > nsds7WindowsDomain: RNP > > nsds7NewWinUserSyncEnabled: on > > nsds7NewWinGroupSyncEnabled: on > > nsDS5ReplicaCredentials: > {AES-RERBNEJDUTBPV1psTXpoak15MDNPRFZrTXpZMg0KTnkxaE56VXhZMkUwWlMxbE5UazJNemhrWkFBQ > > > RERBNEJDUTBPV1psTXpoak15MDNPRFZrTXpZMg0KTnkxaE56VXhZMkUwWlMxbE5UazJNemhrWkFBQ > > > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTJRME5QSmRXNWVLQW > > NFaXczVmFXWQ==}F/Jp/zDrXdzGs4/tMIPZZw== > > internalCreatorsName: cn=directory manager > > internalModifiersName: cn=directory manager > > creatorsName: cn=directory manager > > modifiersName: cn=directory manager > > createTimestamp: 20200129214430Z > > modifyTimestamp: 20200129214431Z > > nsds5BeginReplicaRefresh: start > > > > > > How are you changing the password in DS? > > Tried 3 different ways: > > 1. ldapmodify > > 2. password Selfservice (application that we have here) > > 3. Apache directory (LDAP client) > > I can't remember if I asked this, but do *other* non-password attributes > replicate correctly from 389 to AD? > > > > > Question, the The AD machine (gti-df-dc01.my.domain) is the Domain > Controller, right? > > The entry looks off, but it might be because you did some find/replace > on some text. See comments below... > > > > Yes, this is my domain controller(AD). I have 6 domain controllers (2012 > R2) over here, tried at least in 4. > > > > Another info is that I reconfigured my old server(1.3.7.4) and > everything works as expect. > > > > So far, I have no idea where the problem is, so I decided that tomorrow > I will bring up again my old server, (and after that, rebuild my lab > environment e try to figure it out). > > > > Right now, I'm testing with 3 different versions: > > 1.4.1.14 > > 1.4.3.2 > > 1.4.2.5 => This one with Fedora packages (not compiled by myself) > > > > None of them is working with same behavior, just the password is not > sent from 389 to AD. In all versions, attributes are replicated(except > password) from 389 to AD, and everything is working fine from AD to 389. > > > > Please let me know if need some more info. > > > > Thanks > > > > Alberto Viana > > > > On Wed, Jan 29, 2020 at 5:24 PM Mark Reynolds <mreyno...@redhat.com> > wrote: > > How are you changing the password in DS? > > > > Question, the The AD machine (gti-df-dc01.my.domain) is the Domain > Controller, right? > > > > The entry looks off, but it might be because you did some find/replace > on some text. See comments below... > > > > On 1/29/20 1:26 PM, Alberto Viana wrote: > >> Mark, > >> > >> here's: > >> > >> dn: cn=AD-DF-DC01,cn=replica,cn=dc\3Drnp\2Cdc\3Dlocal,cn=mapping > tree,cn=config > >> objectClass: top > >> objectClass: nsDSowsReplicationAgreement > >> cn: AD-DF-DC01 > >> nsDS5ReplicaRoot: dc=rnp,dc=local > >> description: AD-DF-DC01 > >> nsDS5ReplicaHost: gti-df-dc01.my.domain > >> nsDS5ReplicaPort: 636 > >> nsDS5ReplicaTransportInfo: LDAPS > >> nsDS5ReplicaBindDN: CN=my user on AD,OU=APLICACOES,DC=my,DC=domain > >> nsds7owsReplicaSubtree: dc=my,dc=domain > > This is the wrong attribute, it should be: nsds7WindowsReplicaSubtree > >> nsds7DirectoryReplicaSubtree: dc=my,dc=domain > >> nsds7owsDomain: RNP > > Same here, it should be: nsds7WindowsDomain. > > > > Mark > > > >> nsds7NewWinUserSyncEnabled: on > >> nsds7NewWinGroupSyncEnabled: on > >> nsDS5ReplicaCredentials: {AES-E56VXhZMkUwWlMxbE5UazJNemhrWkFBQ > >> > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRFl0ZGNTUGZoV2xEZE > >> 5rMUZNZWp4Rw==}UxxEid4L9eUthSplmxIoy4woEEB4YoihY1++Vv60ibM= > >> internalCreatorsName: cn=directory manager > >> internalModifiersName: cn=directory manager > >> > >> Thanks > >> > >> On Wed, Jan 29, 2020 at 2:27 PM Mark Reynolds <mreyno...@redhat.com> > wrote: > >> > >> > >> On 1/29/20 12:17 PM, Alberto Viana wrote: > >>> Mark, > >>> > >>> Already did that twice hehehehe > >>> > >>> Do you think that's about config once all attributes except password > are sync'ed to AD? If it's about config, the log does not suppose to show > something? > >>> > >>> 389 -> AD (all attributes except password) > >>> AD -> 389 (everthing works, including password) > >>> > >>> Tried almost everything over here, without success. > >>> > >>> There's another way to trace it? replication log does not shows me > anything related to it. > >> Replication logging is the only option on the DS side. > >> > >> Can you share your replication agreement from dse.ldif? From what I > saw from the command line you set everything correctly, but maybe it didn't > write it correctly to the entry. You have to use LDAPS for passwords to > sync to AD, and you specified that, but lets confirm what is actually in > the agreement. > >> > >> Thanks, > >> > >> Mark > >> > >>> > >>> Thanks > >>> > >>> On Wed, Jan 29, 2020 at 12:35 PM Mark Reynolds <mreyno...@redhat.com> > wrote: > >>> Alberto, > >>> > >>> Sorry I'm not sure what is wrong. Please review the documentation and > make sure you have everything setup correctly: > >>> > >>> > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_the_password_policy-synchronizing_passwords > >>> > >>> HTH, > >>> > >>> Mark > >>> > >>> On 1/29/20 10:22 AM, Alberto Viana wrote: > >>>> Hi Guys, > >>>> > >>>> My messages to list are being moderated (no sure why), trying again > >>>> > >>>> William, > >>>> > >>>> Right, so if you change a password on AD, does it properly change the > password to 389? > >>>> > >>>> Yes. > >>>> > >>>> And are you using a "ldapmodify userpassword" or "ldappasswd" to > change the password? What's the exact command you run against 389 to change > the password? > >>>> > >>>> Tried 3 different ways: > >>>> 1. ldapmodify > >>>> 2. An application that we have here (password selfservice) > >>>> 3. Apache directory studio > >>>> > >>>> The password is always updated locally in 389 but never sent to AD. > >>>> > >>>> And it's seems that not even trying, I'm tracking on event viewer. > Another thing that when I used to change the password, the passync always > intercepts the change and tries to send back the (same) password and it's > not happening. > >>>> > >>>> Please let me know if you anything else. > >>>> > >>>> > >>>> > >>>> On Tue, Jan 28, 2020 at 9:40 PM Alberto Viana <alberto...@gmail.com> > wrote: > >>>> William, > >>>> > >>>> Right, so if you change a password on AD, does it properly change the > password to 389? > >>>> > >>>> Yes. > >>>> > >>>> And are you using a "ldapmodify userpassword" or "ldappasswd" to > change the password? What's the exact command you run against 389 to change > the password? > >>>> > >>>> Tried 3 different ways: > >>>> 1. ldapmodify > >>>> 2. An application that we have here (password selfservice) > >>>> 3. Apache directory studio > >>>> > >>>> The password is always updated locally in 389 but never sent to AD. > >>>> > >>>> And it's seems that not even trying, I'm tracking on event viewer. > Another thing that when I used to change the password, the passync always > intercepts the change and tries to send back the (same) password and it's > not happening. > >>>> > >>>> Please let me know if you anything else. > >>>> > >>>> Thanks > >>>> > >>>> > >>>> > >>>> On Tue, Jan 28, 2020 at 9:31 PM William Brown <wbr...@suse.de> wrote: > >>>> > >>>> > >>>> > On 29 Jan 2020, at 10:15, Alberto Viana <alberto...@gmail.com> > wrote: > >>>> > > >>>> > William, > >>>> > > >>>> > Sorry, my bad, it's not working > >>>> > > >>>> > > >>>> > The problem is the password is never sent to AD and it's just about > password, any other replicated attribute that I modify sends the > modification to AD normally. > >>>> > >>>> > >>>> Right, so if you change a password on AD, does it properly change the > password to 389? > >>>> > >>>> And are you using a "ldapmodify userpassword" or "ldappasswd" to > change the password? What's the exact command you run against 389 to change > the password? > >>>> > >>>> > > >>>> > When you say "I think that perhaps we need to exclude objectClass=* > from notes=U." > >>>> > >>>> No, this is something for the team and I to do, not you :) > >>>> > >>>> > > >>>> > Where should I do that? Do you need further information? > >>>> > > >>>> > > >>>> > Thanks > >>>> > > >>>> > Alberto Viana > >>>> > > >>>> > > >>>> > On Tue, Jan 28, 2020 at 9:09 PM William Brown <wbr...@suse.de> > wrote: > >>>> > > >>>> > > >>>> > > On 29 Jan 2020, at 10:01, Alberto Viana <alberto...@gmail.com> > wrote: > >>>> > > > >>>> > > WIlliam, > >>>> > > > >>>> > > Thanks, I put in my company's roadmap to think about pay for > support, > >>>> > > >>>> > Great! > >>>> > > >>>> > > I found the problem, it's about aci (the user manager replication > permission) > >>>> > > >>>> > Can you please describe the problem and solution more? That way I > and others can learn from what you just solved :) It will help many others. > Thank you! > >>>> > > >>>> > > > >>>> > > After add permission to read the userpassword field, starts to > works. > >>>> > > > >>>> > > Again, Thanks!!! > >>>> > > > >>>> > > > >>>> > > > >>>> > > On Tue, Jan 28, 2020 at 8:58 PM William Brown <wbr...@suse.de> > wrote: > >>>> > > > >>>> > > > >>>> > > > On 29 Jan 2020, at 09:24, Alberto Viana <alberto...@gmail.com> > wrote: > >>>> > > > > >>>> > > > Hey Guys, > >>>> > > > > >>>> > > > Really lost here, don't know what else look or test, it's not > working at all :/ > >>>> > > > >>>> > > Hey there, > >>>> > > > >>>> > > Remember, the team is distributed around the world - I'm > Australian for example, so sometimes mailing list questions can take 24 > hours. Sometimes personal things go wrong. It's just the annoying nature, > that we will potentially take time to respond :( > >>>> > > > >>>> > > If you do want an SLA, and it's super important to have things > fixed, do consider convincing your business to take a SUSE (SLE) or Red Hat > (RHDS) contract, as there are support teams that can assist, and there are > going to be better response times rather than just us developers :) > >>>> > > > >>>> > > > > >>>> > > > Any help is appreciated > >>>> > > > > >>>> > > > Thanks > >>>> > > > > >>>> > > > On Tue, Jan 28, 2020 at 3:48 PM Alberto Viana < > alberto...@gmail.com> wrote: > >>>> > > > Hi Guys, > >>>> > > > 389-Directory/1.4.3.2 > >>>> > > > > >>>> > > > > >>>> > > > The password sync from 389 to windows(2012) is not working: > >>>> > > > >>>> > > One of these days I really need to setup winsync at home to > really learn more about it ... > >>>> > > > >>>> > > > > >>>> > > > # dsconf RNP repl-winsync-agmt create --suffix=dc=rnp,dc=local > --host=gti-df-dc01 --port=636 --conn-protocol=LDAPS > --bind-dn="CN=my_win_account" --bind-passwd=password > --win-subtree=dc=my,dc=domain --ds-subtree=dc=my,dc=domain --win-domain=RNP > --sync-users=on --sync-groups=on --init AD-DF-DC01 > >>>> > > > > >>>> > > > > >>>> > > > Double checked everything including the user permissions on > windows AD side , also checked the windows log and passync log, could not > found anything related (at least the 389 trying to update my user's > password or any error) > >>>> > > > > >>>> > > > From windows to 389 works fine. > >>>> > > > > >>>> > > > Attaching the log (in replication debug mode) > >>>> > > > >>>> > > Looking at the log I can see changes happening. > >>>> > > > >>>> > > > >>>> > > This error seems surprising, but shouldn't really cause a > problem. > >>>> > > > >>>> > > [28/Jan/2020:15:14:05.423481115 -0300] - ERR - log_result - > Internal unindexed search: source (cn=Multimaster Replication > Plugin,cn=plugins,cn=config) search base="dc=my,dc=domain" > filter="(&(|(objectclass=*)(objectclass=ldapsubentry))(nsUniqueid=0c57800e-050011e8-b998ed08-97c36f4f))" > etime=0.000798288 nentries=1 notes=U details="Partially Unindexed Filter > >>>> > > > >>>> > > I think that perhaps we need to exclude objectClass=* from > notes=U. > >>>> > > > >>>> > > > >>>> > > Anyway, you say it's "not working". I'm going to ask you to > describe what "not working means". Did you change a group on AD and the > changes aren't appearing in 389? Or the other way? Can you be more specific > about what's not working? > >>>> > > > >>>> > > Thanks, > >>>> > > > >>>> > > > > >>>> > > > Don't know what else to look > >>>> > > > > >>>> > > > Thanks. > >>>> > > > > >>>> > > > > >>>> > > > > >>>> > > > _______________________________________________ > >>>> > > > 389-users mailing list -- 389-users@lists.fedoraproject.org > >>>> > > > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > >>>> > > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>> > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>> > > > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>>> > > > >>>> > > — > >>>> > > Sincerely, > >>>> > > > >>>> > > William Brown > >>>> > > > >>>> > > Senior Software Engineer, 389 Directory Server > >>>> > > SUSE Labs > >>>> > > _______________________________________________ > >>>> > > 389-users mailing list -- 389-users@lists.fedoraproject.org > >>>> > > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > >>>> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>> > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>> > > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>>> > > _______________________________________________ > >>>> > > 389-users mailing list -- 389-users@lists.fedoraproject.org > >>>> > > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > >>>> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>> > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>> > > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>>> > > >>>> > — > >>>> > Sincerely, > >>>> > > >>>> > William Brown > >>>> > > >>>> > Senior Software Engineer, 389 Directory Server > >>>> > SUSE Labs > >>>> > _______________________________________________ > >>>> > 389-users mailing list -- 389-users@lists.fedoraproject.org > >>>> > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > >>>> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>> > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>>> > _______________________________________________ > >>>> > 389-users mailing list -- 389-users@lists.fedoraproject.org > >>>> > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > >>>> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>> > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>>> > >>>> — > >>>> Sincerely, > >>>> > >>>> William Brown > >>>> > >>>> Senior Software Engineer, 389 Directory Server > >>>> SUSE Labs > >>>> _______________________________________________ > >>>> 389-users mailing list -- 389-users@lists.fedoraproject.org > >>>> To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > >>>> Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>> List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>>> > >>>> > >>>> _______________________________________________ > >>>> 389-users mailing list -- > >>>> 389-users@lists.fedoraproject.org > >>>> > >>>> To unsubscribe send an email to > >>>> 389-users-le...@lists.fedoraproject.org > >>>> > >>>> Fedora Code of Conduct: > >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>> > >>>> List Guidelines: > >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>> > >>>> List Archives: > >>>> > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > >>> -- > >>> > >>> 389 Directory Server Development Team > >>> > >> -- > >> > >> 389 Directory Server Development Team > >> > >> > >> > >> _______________________________________________ > >> 389-users mailing list -- > >> 389-users@lists.fedoraproject.org > >> > >> To unsubscribe send an email to > >> 389-users-le...@lists.fedoraproject.org > >> > >> Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> > >> List Guidelines: > >> https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > >> List Archives: > >> > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > > -- > > > > 389 Directory Server Development Team > > > > _______________________________________________ > > 389-users mailing list -- 389-users@lists.fedoraproject.org > > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org