Great!  Glad you got that working.

Next step is to use AD trust instead of sync . . .

On 06/21/2016 12:58 AM, Toby Gale wrote:
Thanks for the help Rich.

Looking at the log I noticed some extra characters in the DN that corresponds to "Search Base". I got the Windows admin to share his RDP session to the DC and had a look at the registry in "HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync". I noticed the same characters in the "Search Base" key. I think the extra characters were accidentally copy-pasted from the documentation I sent them.

Removing them and restarting the service has resolved the problem.

On Mon, Jun 20, 2016 at 3:49 PM, Rich Megginson < <>> wrote:

    On 06/18/2016 05:47 AM, Toby Gale wrote:


    After successfully adding a 'winsync' agreement and loading AD
    data into FreeIPA I am trying to configure the password sync
    software on the domain controllers.

    I have installed the certificates and can successfully bind from
    the domain controller using ldp.exe and the
    'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user.

    I have edited the registry to increase logging, by setting
    'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I
    am seeing the error:

    06/17/16 08:47:32: Backoff time expired.  Attempting sync
    06/17/16 08:47:32: Password list has 1 entries
    06/17/16 08:47:32: Attempting to sync password for some.user
    06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)
    06/17/16 08:47:32: Ldap error in QueryUsername
    34: Invalid DN syntax

    Take a look at the 389/dirsrv access log on your linux host at
    /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the
    error corresponding to this - it should be at the same approximate
    date/time (make sure you check your time zones) and the RESULT
    line should have err=34

    06/17/16 08:47:32: Deferring password change for some.user
    06/17/16 08:47:32: Backing off for 1024000ms

    When I run the query from the CLI, it is successful:

    $ ldapsearch -x -h ldaps://localhost -p 636 -D
    'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w
    'password'  -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com'

    Can anyone help me resolve this?


    Manage your subscription for the Freeipa-users mailing list:
    Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to