I solved this and I'll share my ignorance just in case it helps someone else: It wasn't clear to me that passsync needed the search base on the IPA server rather than the search base for the ad server. *facepalm*
---------- Forwarded message ---------- From: Nate Marks <npma...@gmail.com> Date: Fri, Dec 21, 2012 at 9:47 AM Subject: passync LDAP error in queryusername To: freeipa-users@redhat.com 32: no such object deferring password change for newinclude I'm baffled. I think I made the search base exactly the same as the DN I found in LDP. Capitalized "OU" and DC. no spaces. the ad dn for the search base is 'OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' it detected the password change for 'CN=newinclude,OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' Any tips
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users