FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 01-19-2011, 02:49 PM
remy d1
 
Default Sync AD with 389-DS Unable to parse response

Hi,

I have some problems to synchronize 389-DS with AD


I have followed this HowTo : http://www.linuxmail.info/389-directory-active-directory-ssl-synch/


I have successfully imported cert files in both AD and 389-DS and can communicate in SSL mode (ldaps). I can login from my 389-DS to my AD server with 389-console or Apache Directory Studio, but synchronize does not work.


Here are the error logs from 389-DS :
[19/Jan/2011:14:37:07 +0100] NSMMReplicationPlugin - agmt="cn=Synchro ldap" (WINSERVER:636): Unable to parse the response to the startReplication extended operation. Replication is aborting.

[19/Jan/2011:14:37:07 +0100] NSMMReplicationPlugin - agmt="cn=Synchro ldap" (WINSERVER:636): Incremental update failed and requires administrator action


If I try an ldapsearch :
/usr/lib64/mozldap/ldapsearch -ZZ -b "dc=mydomain,dc=com" -h WINSERVER -p 636 -R -D "CN=synchro ldap,CN=Users,DC=mydomain,DC=com" -w - "objectclass=*"

Enter bind password:
ldap_start_tls_s failed: (Can't contact LDAP server)
ldap_simple_bind: Can't contact LDAP server
*** TLS/SSL error -5961 (TCP connection reset by peer.)


I have open the ports 88, 389 and 636. Should I open all this ports ? :

http://technet.microsoft.com/fr-fr/library/bb967329.aspx


Any idea ?

-Regards

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-19-2011, 02:54 PM
Rich Megginson
 
Default Sync AD with 389-DS Unable to parse response

On 01/19/2011 08:49 AM, remy d1 wrote:
Hi,



I have some problems to synchronize 389-DS with AD





I have followed this HowTo : http://www.linuxmail.info/389-directory-active-directory-ssl-synch/


I didn't read this, but I would suggest starting with this instead:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync




I have successfully imported cert files in both AD and 389-DS and
can communicate in SSL mode (ldaps). I can login from my 389-DS to
my AD server with 389-console or Apache Directory Studio, but
synchronize does not work.



Here are the error logs from 389-DS :

[19/Jan/2011:14:37:07 +0100] NSMMReplicationPlugin -
agmt="cn=Synchro ldap" (WINSERVER:636): Unable to parse the
response to the startReplication extended operation. Replication
is aborting.

[19/Jan/2011:14:37:07 +0100] NSMMReplicationPlugin -
agmt="cn=Synchro ldap" (WINSERVER:636): Incremental update failed
and requires administrator action


Definitely some sort of configuration problem.* 389 is attempting to
use the 389 MMR protocol instead of the winsync protocol.





If I try an ldapsearch :

/usr/lib64/mozldap/ldapsearch -ZZ -b "dc=mydomain,dc=com" -h
WINSERVER -p 636 -R -D "CN=synchro
ldap,CN=Users,DC=mydomain,DC=com" -w - "objectclass=*"

Enter bind password:

ldap_start_tls_s failed: (Can't contact LDAP server)

ldap_simple_bind: Can't contact LDAP server

*** TLS/SSL error -5961 (TCP connection reset by peer.)


1) either use -Z and -p 636, or -ZZ and -p 389 - you cannot use both
-ZZ and -p 636 (i.e. you cannot use startTLS on the LDAPS port since
it is already encrypted)

2) You have to specify -P /etc/dirsrv/slapd-YOURINSTANCE/cert8.db on
the ldapsearch cmd line





I have open the ports 88, 389 and 636. Should I open all this
ports ? :

http://technet.microsoft.com/fr-fr/library/bb967329.aspx





Any idea ?



-Regards



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-21-2011, 07:24 PM
Rich Megginson
 
Default Sync AD with 389-DS Unable to parse response

Date:
Fri, 21 Jan 2011 10:25:56 +0100




To:

"General discussion list for the 389 Directory server
project." <389-users@lists.fedoraproject.org>





Hi Rich,



Thanks for this usefull link.



I have successfully initiate replica between Windows AD and my
server 389-DS. Ldapsearch is working. But even if everything seems
to be ok, the update does not work and I do not see any error in
the log files... So, my AD server stay empty, the accounts are not
migrate...



Here you have my access log file which is more verbose... (mydomain.com for the example) :
<snip>

Obviously I am connecting to the server
389-DS itself whereas it can resolve the DNS name of my Windows
server... There is no error in the AD event viewer while I could
see errors on it when it was misconfigured
(like DirSync errors)... So, basically, the Windows server is
contacted to my DS-Server over 2 different networks.



Do you think I have to open the ports described in my message ?



-Regards.
I don't know.* There is no winsync information in the access log.*
Note that the access log records client accesses to the directory
server, and in winsync, the directory server itself acts as a client
to AD, so winsync will log nothing in the access log.* The errors
log could be helpful, and especially using the replication log level
(which is also used for winsync logging).* The Windows Event Viewer
is useless for winsync issues.



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-25-2011, 07:29 AM
remy d1
 
Default Sync AD with 389-DS Unable to parse response

Hi Rich,

I tried to raise the log level, but when I did it, I was not able to stop/restart my dirsrv service. To stop it, I must kill the process and remove the pid file. Then I could start it.

In my error logs, there is a lot of informations :



[root@KingKong ~]# tail /var/log/dirsrv/slapd-KingKong/errors
[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog program - cl5GetOperationCount: could not get DB object for replica

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: no DB object found for database /var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog program - cl5GetOperationCount: could not get DB object for replica
[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: no DB object found for database /var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog program - cl5GetOperationCount: could not get DB object for replica
[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: no DB object found for database /var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog program - cl5GetOperationCount: could not get DB object for replica
[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: no DB object found for database /var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog program - cl5GetOperationCount: could not get DB object for replica
[24/Jan/2011:16:24:18 +0100] NSMMReplicationPlugin - changelog program - cl5ExportLDIF: failed to locate changelog file for replica at (dc=mydomain,dc=com)



This problem is very similar to this post :
http://www.redhat.com/archives/fedora-directory-commits/2009-March/msg00005.html

Although I have the last version of 389-DS.

I think I have also some troubleshooting with my hostname because bind is not configured. However, I have choosen to put it my /etc/hosts file

[root@KingKong ~]# nl /etc/host.conf
**** 1*** multi on
**** 2*** order hosts,bind
hostname command reply the full "fqdn" if I choose the option --all-fqdn, contrary to the option "--fqdn". The reply is just my hostname without the domain. By the way, if I say

#hostname KingKong.mydomain.com
Eveything is now good for my hostname but I can not launch my 389-console. I think the adress to connect is not ok... I do not know if this problem is linked to the previous problems...


So, I do #hostname KingKong
Then, I launch the console again. Now, if I try to initiate a full synchronization, I can see (and I am still stuck on it) the window "please wait while data is being synchronized...", but nothing else... Data are not synchronized and I do not see anything in my Windows event viewer while replica agreement seems to be ok and PassSync service is installed...



Thanks for help,

-Regards

2011/1/21 Rich Megginson <rmeggins@redhat.com>








Date:
Fri, 21 Jan 2011 10:25:56 +0100




To:

"General discussion list for the 389 Directory server
project." <389-users@lists.fedoraproject.org>





Hi Rich,



Thanks for this usefull link.



I have successfully initiate replica between Windows AD and my
server 389-DS. Ldapsearch is working. But even if everything seems
to be ok, the update does not work and I do not see any error in
the log files... So, my AD server stay empty, the accounts are not
migrate...



Here you have my access log file which is more verbose... (mydomain.com for the example) :
<snip>

Obviously I am connecting to the server
389-DS itself whereas it can resolve the DNS name of my Windows
server... There is no error in the AD event viewer while I could
see errors on it when it was misconfigured
(like DirSync errors)... So, basically, the Windows server is
contacted to my DS-Server over 2 different networks.



Do you think I have to open the ports described in my message ?



-Regards.
I don't know.* There is no winsync information in the access log.*
Note that the access log records client accesses to the directory
server, and in winsync, the directory server itself acts as a client
to AD, so winsync will log nothing in the access log.* The errors
log could be helpful, and especially using the replication log level
(which is also used for winsync logging).* The Windows Event Viewer
is useless for winsync issues.





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-25-2011, 02:14 PM
Rich Megginson
 
Default Sync AD with 389-DS Unable to parse response

On 01/25/2011 01:29 AM, remy d1 wrote:
Hi Rich,



I tried to raise the log level, but when I did it, I was not able
to stop/restart my dirsrv service.
What log level did you use?* What error messages did you see when
you attempted to stop/restart the service?* Anything in the errors
log?

To stop it, I must kill the process and remove the pid
file. Then I could start it.



In my error logs, there is a lot of informations :






[root@KingKong ~]# tail
/var/log/dirsrv/slapd-KingKong/errors

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
program - cl5GetOperationCount: could not get DB object for
replica

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
program - _cl5GetDBFile: no DB object found for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
program - cl5GetOperationCount: could not get DB object for
replica

[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog
program - _cl5GetDBFile: no DB object found for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog
program - cl5GetOperationCount: could not get DB object for
replica

[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog
program - _cl5GetDBFile: no DB object found for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog
program - cl5GetOperationCount: could not get DB object for
replica

[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog
program - _cl5GetDBFile: no DB object found for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog
program - cl5GetOperationCount: could not get DB object for
replica

[24/Jan/2011:16:24:18 +0100] NSMMReplicationPlugin - changelog
program - cl5ExportLDIF: failed to locate changelog file for
replica at (dc=mydomain,dc=com)






This problem is very similar to this post :

http://www.redhat.com/archives/fedora-directory-commits/2009-March/msg00005.html


Although I have the last version of 389-DS.


Are you sure this is the correct post you wanted to refer to?*
Because this is a patch commit for a fix when moving the changelog
directory - did you move the changelog directory?* Because you did
not mention it in your earlier post.



I think I have also some troubleshooting with my hostname because
bind is not configured. However, I have choosen to put it my
/etc/hosts file


[root@KingKong ~]# nl /etc/host.conf

**** 1*** multi on

**** 2*** order hosts,bind


hostname command reply the full "fqdn" if I choose the option
--all-fqdn, contrary to the option "--fqdn". The reply is just my
hostname without the domain. By the way, if I say

#hostname KingKong.mydomain.com


Eveything is now good for my hostname but I can not launch my
389-console. I think the adress to connect is not ok... I do not
know if this problem is linked to the previous problems...



So, I do #hostname KingKong

Then, I launch the console again. Now, if I try to initiate a full
synchronization, I can see (and I am still stuck on it) the window
"please wait while data is being synchronized...", but nothing
else... Data are not synchronized and I do not see anything in my
Windows event viewer while replica agreement seems to be ok and
PassSync service is installed...


It is very difficult to change your hostname after you have
configured the admin server and console.* I suggest starting over
from scratch, and first make sure your hostname is correct.



I also suggest using
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync
to configure Windows Sync.






Thanks for help,



-Regards



2011/1/21 Rich Megginson <rmeggins@redhat.com>




Date:
Fri, 21 Jan 2011 10:25:56 +0100




To:
"General discussion list for the 389 Directory
server project." <389-users@lists.fedoraproject.org>





Hi Rich,



Thanks for this usefull link.



I have successfully initiate replica between Windows AD
and my server 389-DS. Ldapsearch is working. But even if
everything seems to be ok, the update does not work and
I do not see any error in the log files... So, my AD
server stay empty, the accounts are not migrate...



Here you have my access log file which is more
verbose... (mydomain.com
for the example) :

<snip>

Obviously I am connecting to the
server 389-DS itself whereas it can resolve the DNS name
of my Windows server... There is no error in the AD event
viewer while I could see errors on it when it was misconfigured (like DirSync
errors)... So, basically, the Windows server is contacted
to my DS-Server over 2 different networks.



Do you think I have to open the ports described in my
message ?



-Regards.
I don't know.* There is no winsync information in the access
log.* Note that the access log records client accesses to
the directory server, and in winsync, the directory server
itself acts as a client to AD, so winsync will log nothing
in the access log.* The errors log could be helpful, and
especially using the replication log level (which is also
used for winsync logging).* The Windows Event Viewer is
useless for winsync issues.











--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 02-09-2011, 12:39 PM
remy d1
 
Default Sync AD with 389-DS Unable to parse response

Hi Rich,

I reinstalled all my server from scratch and reimported all my data (with cert files).

If I try to synchronize my data, I can import users from AD to 389-DS but I can't do the opposite. My 389 server replica is always in status "in progress" with "replica acquired successfully : incremental update started", but it can't finish the synchronization job.


I could also continue to launch request to my AD server from my 389-DS server (ldapsearch...). I successfully add a user to my AD with Apache Directory Studio (installed on my 389-DS server) with the AD synchronizing account. So, it's not an access problem.


Moreover I added a schema on my 389-DS for my directory that is not present on my AD. Do you think I have to add this schema to AD or is the synchronization done only on AD required attributes ?

Or,

Is it a cert file problem on my AD ?


or ...?

Any idea would be appreciated

Regards-


2011/1/25 Rich Megginson <rmeggins@redhat.com>








On 01/25/2011 01:29 AM, remy d1 wrote:
Hi Rich,



I tried to raise the log level, but when I did it, I was not able
to stop/restart my dirsrv service.
What log level did you use?* What error messages did you see when
you attempted to stop/restart the service?* Anything in the errors
log?

To stop it, I must kill the process and remove the pid
file. Then I could start it.



In my error logs, there is a lot of informations :






[root@KingKong ~]# tail
/var/log/dirsrv/slapd-KingKong/errors

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
program - cl5GetOperationCount: could not get DB object for
replica

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
program - _cl5GetDBFile: no DB object found for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin - changelog
program - cl5GetOperationCount: could not get DB object for
replica

[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog
program - _cl5GetDBFile: no DB object found for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin - changelog
program - cl5GetOperationCount: could not get DB object for
replica

[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog
program - _cl5GetDBFile: no DB object found for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin - changelog
program - cl5GetOperationCount: could not get DB object for
replica

[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog
program - _cl5GetDBFile: no DB object found for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin - changelog
program - cl5GetOperationCount: could not get DB object for
replica

[24/Jan/2011:16:24:18 +0100] NSMMReplicationPlugin - changelog
program - cl5ExportLDIF: failed to locate changelog file for
replica at (dc=mydomain,dc=com)






This problem is very similar to this post :

http://www.redhat.com/archives/fedora-directory-commits/2009-March/msg00005.html




Although I have the last version of 389-DS.


Are you sure this is the correct post you wanted to refer to?*
Because this is a patch commit for a fix when moving the changelog
directory - did you move the changelog directory?* Because you did
not mention it in your earlier post.



I think I have also some troubleshooting with my hostname because
bind is not configured. However, I have choosen to put it my
/etc/hosts file


[root@KingKong ~]# nl /etc/host.conf

**** 1*** multi on

**** 2*** order hosts,bind


hostname command reply the full "fqdn" if I choose the option
--all-fqdn, contrary to the option "--fqdn". The reply is just my
hostname without the domain. By the way, if I say

#hostname KingKong.mydomain.com


Eveything is now good for my hostname but I can not launch my
389-console. I think the adress to connect is not ok... I do not
know if this problem is linked to the previous problems...



So, I do #hostname KingKong

Then, I launch the console again. Now, if I try to initiate a full
synchronization, I can see (and I am still stuck on it) the window
"please wait while data is being synchronized...", but nothing
else... Data are not synchronized and I do not see anything in my
Windows event viewer while replica agreement seems to be ok and
PassSync service is installed...


It is very difficult to change your hostname after you have
configured the admin server and console.* I suggest starting over
from scratch, and first make sure your hostname is correct.



I also suggest using
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync
to configure Windows Sync.






Thanks for help,



-Regards



2011/1/21 Rich Megginson <rmeggins@redhat.com>




Date:
Fri, 21 Jan 2011 10:25:56 +0100




To:
"General discussion list for the 389 Directory
server project." <389-users@lists.fedoraproject.org>





Hi Rich,



Thanks for this usefull link.



I have successfully initiate replica between Windows AD
and my server 389-DS. Ldapsearch is working. But even if
everything seems to be ok, the update does not work and
I do not see any error in the log files... So, my AD
server stay empty, the accounts are not migrate...



Here you have my access log file which is more
verbose... (mydomain.com
for the example) :

<snip>

Obviously I am connecting to the
server 389-DS itself whereas it can resolve the DNS name
of my Windows server... There is no error in the AD event
viewer while I could see errors on it when it was misconfigured (like DirSync
errors)... So, basically, the Windows server is contacted
to my DS-Server over 2 different networks.



Do you think I have to open the ports described in my
message ?



-Regards.
I don't know.* There is no winsync information in the access
log.* Note that the access log records client accesses to
the directory server, and in winsync, the directory server
itself acts as a client to AD, so winsync will log nothing
in the access log.* The errors log could be helpful, and
especially using the replication log level (which is also
used for winsync logging).* The Windows Event Viewer is
useless for winsync issues.













--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 02-09-2011, 02:46 PM
Rich Megginson
 
Default Sync AD with 389-DS Unable to parse response

On 02/09/2011 06:39 AM, remy d1 wrote:
Hi Rich,



I reinstalled all my server from scratch and reimported all my
data (with cert files).



If I try to synchronize my data, I can import users from AD to
389-DS but I can't do the opposite. My 389 server replica is
always in status "in progress" with "replica acquired successfully
: incremental update started", but it can't finish the
synchronization job.




Sometimes you have to tell winsync to do a full resync a few times
before it finally works.




I could also continue to launch request to my AD server from my
389-DS server (ldapsearch...). I successfully add a user to my AD
with Apache Directory Studio (installed on my 389-DS server) with
the AD synchronizing account. So, it's not an access problem.



Moreover I added a schema on my 389-DS for my directory that is
not present on my AD. Do you think I have to add this schema to AD
or is the synchronization done only on AD required attributes ?


No.* The schema that winsync uses is hard coded in 389 - you cannot
extend it or change it - it should work with AD, no changes to AD
should be required.



Or,



Is it a cert file problem on my AD ?



or ...?



Any idea would be appreciated



Regards-





2011/1/25 Rich Megginson <rmeggins@redhat.com>



On 01/25/2011 01:29 AM, remy d1 wrote:
Hi Rich,



I tried to raise the log level, but when I did it, I was
not able to stop/restart my dirsrv service.

What log level did you use?* What error messages did you see
when you attempted to stop/restart the service?* Anything in
the errors log?


To stop it, I must kill the
process and remove the pid file. Then I could start it.



In my error logs, there is a lot of informations :






[root@KingKong ~]# tail
/var/log/dirsrv/slapd-KingKong/errors

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica

[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica

[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica

[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica

[24/Jan/2011:16:24:18 +0100] NSMMReplicationPlugin -
changelog program - cl5ExportLDIF: failed to locate
changelog file for replica at (dc=mydomain,dc=com)






This problem is very similar to this post :

http://www.redhat.com/archives/fedora-directory-commits/2009-March/msg00005.html


Although I have the last version of 389-DS.



Are you sure this is the correct post you wanted to refer
to?* Because this is a patch commit for a fix when moving
the changelog directory - did you move the changelog
directory?* Because you did not mention it in your earlier
post.




I think I have also some troubleshooting with my
hostname because bind is not configured. However, I have
choosen to put it my /etc/hosts file

[root@KingKong ~]# nl
/etc/host.conf

**** 1*** multi on

**** 2*** order hosts,bind


hostname command reply the full "fqdn" if I choose the
option --all-fqdn, contrary to the option "--fqdn". The
reply is just my hostname without the domain. By the
way, if I say

#hostname KingKong.mydomain.com


Eveything is now good for my hostname but I can not
launch my 389-console. I think the adress to connect is
not ok... I do not know if this problem is linked to the
previous problems...



So, I do #hostname KingKong

Then, I launch the console again. Now, if I try to
initiate a full synchronization, I can see (and I am
still stuck on it) the window "please wait while data is
being synchronized...", but nothing else... Data are not
synchronized and I do not see anything in my Windows
event viewer while replica agreement seems to be ok and
PassSync service is installed...



It is very difficult to change your hostname after you have
configured the admin server and console.* I suggest starting
over from scratch, and first make sure your hostname is
correct.



I also suggest using http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync
to configure Windows Sync.






Thanks for help,



-Regards



2011/1/21 Rich Megginson <rmeggins@redhat.com>




Date:
Fri, 21 Jan 2011 10:25:56 +0100




To:
"General discussion list for the 389
Directory server project." <389-users@lists.fedoraproject.org>





Hi Rich,



Thanks for this usefull link.



I have successfully initiate replica between
Windows AD and my server 389-DS. Ldapsearch is
working. But even if everything seems to be
ok, the update does not work and I do not see
any error in the log files... So, my AD server
stay empty, the accounts are not migrate...



Here you have my access log file which is more
verbose... (mydomain.com
for the example) :

<snip>

Obviously I am connecting
to the server 389-DS itself whereas it can
resolve the DNS name of my Windows server...
There is no error in the AD event viewer while I
could see errors on it when it was misconfigured
(like DirSync errors)... So, basically, the
Windows server is contacted to my DS-Server over
2 different networks.



Do you think I have to open the ports described
in my message ?



-Regards.
I don't know.* There is no winsync information in
the access log.* Note that the access log records
client accesses to the directory server, and in
winsync, the directory server itself acts as a
client to AD, so winsync will log nothing in the
access log.* The errors log could be helpful, and
especially using the replication log level (which
is also used for winsync logging).* The Windows
Event Viewer is useless for winsync issues.




















--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 02-14-2011, 08:09 AM
remy d1
 
Default Sync AD with 389-DS Unable to parse response

Hi,

Is there a timeout for Windows Sync ?

Thanks

2011/2/9 Rich Megginson <rmeggins@redhat.com>








On 02/09/2011 06:39 AM, remy d1 wrote:
Hi Rich,



I reinstalled all my server from scratch and reimported all my
data (with cert files).



If I try to synchronize my data, I can import users from AD to
389-DS but I can't do the opposite. My 389 server replica is
always in status "in progress" with "replica acquired successfully
: incremental update started", but it can't finish the
synchronization job.




Sometimes you have to tell winsync to do a full resync a few times
before it finally works.




I could also continue to launch request to my AD server from my
389-DS server (ldapsearch...). I successfully add a user to my AD
with Apache Directory Studio (installed on my 389-DS server) with
the AD synchronizing account. So, it's not an access problem.



Moreover I added a schema on my 389-DS for my directory that is
not present on my AD. Do you think I have to add this schema to AD
or is the synchronization done only on AD required attributes ?


No.* The schema that winsync uses is hard coded in 389 - you cannot
extend it or change it - it should work with AD, no changes to AD
should be required.



Or,



Is it a cert file problem on my AD ?



or ...?



Any idea would be appreciated



Regards-





2011/1/25 Rich Megginson <rmeggins@redhat.com>



On 01/25/2011 01:29 AM, remy d1 wrote:
Hi Rich,



I tried to raise the log level, but when I did it, I was
not able to stop/restart my dirsrv service.

What log level did you use?* What error messages did you see
when you attempted to stop/restart the service?* Anything in
the errors log?


To stop it, I must kill the
process and remove the pid file. Then I could start it.



In my error logs, there is a lot of informations :






[root@KingKong ~]# tail
/var/log/dirsrv/slapd-KingKong/errors

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica

[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica

[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica

[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica

[24/Jan/2011:16:24:18 +0100] NSMMReplicationPlugin -
changelog program - cl5ExportLDIF: failed to locate
changelog file for replica at (dc=mydomain,dc=com)






This problem is very similar to this post :

http://www.redhat.com/archives/fedora-directory-commits/2009-March/msg00005.html



Although I have the last version of 389-DS.



Are you sure this is the correct post you wanted to refer
to?* Because this is a patch commit for a fix when moving
the changelog directory - did you move the changelog
directory?* Because you did not mention it in your earlier
post.




I think I have also some troubleshooting with my
hostname because bind is not configured. However, I have
choosen to put it my /etc/hosts file

[root@KingKong ~]# nl
/etc/host.conf

**** 1*** multi on

**** 2*** order hosts,bind


hostname command reply the full "fqdn" if I choose the
option --all-fqdn, contrary to the option "--fqdn". The
reply is just my hostname without the domain. By the
way, if I say

#hostname KingKong.mydomain.com


Eveything is now good for my hostname but I can not
launch my 389-console. I think the adress to connect is
not ok... I do not know if this problem is linked to the
previous problems...



So, I do #hostname KingKong

Then, I launch the console again. Now, if I try to
initiate a full synchronization, I can see (and I am
still stuck on it) the window "please wait while data is
being synchronized...", but nothing else... Data are not
synchronized and I do not see anything in my Windows
event viewer while replica agreement seems to be ok and
PassSync service is installed...



It is very difficult to change your hostname after you have
configured the admin server and console.* I suggest starting
over from scratch, and first make sure your hostname is
correct.



I also suggest using http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync
to configure Windows Sync.






Thanks for help,



-Regards



2011/1/21 Rich Megginson <rmeggins@redhat.com>




Date:
Fri, 21 Jan 2011 10:25:56 +0100




To:
"General discussion list for the 389
Directory server project." <389-users@lists.fedoraproject.org>





Hi Rich,



Thanks for this usefull link.



I have successfully initiate replica between
Windows AD and my server 389-DS. Ldapsearch is
working. But even if everything seems to be
ok, the update does not work and I do not see
any error in the log files... So, my AD server
stay empty, the accounts are not migrate...



Here you have my access log file which is more
verbose... (mydomain.com
for the example) :

<snip>

Obviously I am connecting
to the server 389-DS itself whereas it can
resolve the DNS name of my Windows server...
There is no error in the AD event viewer while I
could see errors on it when it was misconfigured
(like DirSync errors)... So, basically, the
Windows server is contacted to my DS-Server over
2 different networks.



Do you think I have to open the ports described
in my message ?



-Regards.
I don't know.* There is no winsync information in
the access log.* Note that the access log records
client accesses to the directory server, and in
winsync, the directory server itself acts as a
client to AD, so winsync will log nothing in the
access log.* The errors log could be helpful, and
especially using the replication log level (which
is also used for winsync logging).* The Windows
Event Viewer is useless for winsync issues.






















--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 02-14-2011, 03:27 PM
Rich Megginson
 
Default Sync AD with 389-DS Unable to parse response

On 02/14/2011 02:09 AM, remy d1 wrote:
Hi,



Is there a timeout for Windows Sync ?


It uses the same one as regular replication

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#setting-replication-timeout-periods



Thanks



2011/2/9 Rich Megginson <rmeggins@redhat.com>



On 02/09/2011 06:39 AM, remy d1 wrote:
Hi Rich,



I reinstalled all my server from scratch
and reimported all my data (with cert files).



If I try to synchronize my data, I can import users from
AD to 389-DS but I can't do the opposite. My 389 server
replica is always in status "in progress" with "replica
acquired successfully : incremental update started", but
it can't finish the synchronization job.





Sometimes you have to tell winsync to do a full resync a few
times before it finally works.




I could also continue to launch request to my AD server
from my 389-DS server (ldapsearch...). I successfully
add a user to my AD with Apache Directory Studio
(installed on my 389-DS server) with the AD
synchronizing account. So, it's not an access problem.



Moreover I added a schema on my 389-DS for my directory
that is not present on my AD. Do you think I have to add
this schema to AD or is the synchronization done only on
AD required attributes ?



No.* The schema that winsync uses is hard coded in 389 - you
cannot extend it or change it - it should work with AD, no
changes to AD should be required.





Or,



Is it a cert file problem on my AD ?



or ...?



Any idea would be appreciated



Regards-





2011/1/25 Rich Megginson <rmeggins@redhat.com>



On 01/25/2011 01:29 AM, remy d1 wrote:
Hi Rich,



I tried to raise the log level, but when I
did it, I was not able to stop/restart my
dirsrv service.

What log level did you use?* What error messages
did you see when you attempted to stop/restart
the service?* Anything in the errors log?


To stop it, I must
kill the process and remove the pid file.
Then I could start it.



In my error logs, there is a lot of
informations :






[root@KingKong
~]# tail
/var/log/dirsrv/slapd-KingKong/errors

[24/Jan/2011:16:18:30 +0100]
NSMMReplicationPlugin - changelog program
- cl5GetOperationCount: could not get DB
object for replica

[24/Jan/2011:16:18:30 +0100]
NSMMReplicationPlugin - changelog program
- _cl5GetDBFile: no DB object found for
database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:30 +0100]
NSMMReplicationPlugin - changelog program
- cl5GetOperationCount: could not get DB
object for replica

[24/Jan/2011:16:18:40 +0100]
NSMMReplicationPlugin - changelog program
- _cl5GetDBFile: no DB object found for
database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:40 +0100]
NSMMReplicationPlugin - changelog program
- cl5GetOperationCount: could not get DB
object for replica

[24/Jan/2011:16:18:41 +0100]
NSMMReplicationPlugin - changelog program
- _cl5GetDBFile: no DB object found for
database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:41 +0100]
NSMMReplicationPlugin - changelog program
- cl5GetOperationCount: could not get DB
object for replica

[24/Jan/2011:16:18:42 +0100]
NSMMReplicationPlugin - changelog program
- _cl5GetDBFile: no DB object found for
database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4

[24/Jan/2011:16:18:42 +0100]
NSMMReplicationPlugin - changelog program
- cl5GetOperationCount: could not get DB
object for replica

[24/Jan/2011:16:24:18 +0100]
NSMMReplicationPlugin - changelog program
- cl5ExportLDIF: failed to locate
changelog file for replica at
(dc=mydomain,dc=com)






This problem is very similar to this post :

http://www.redhat.com/archives/fedora-directory-commits/2009-March/msg00005.html


Although I have the last version of 389-DS.



Are you sure this is the correct post you wanted
to refer to?* Because this is a patch commit for
a fix when moving the changelog directory - did
you move the changelog directory?* Because you
did not mention it in your earlier post.




I think I have also some troubleshooting
with my hostname because bind is not
configured. However, I have choosen to put
it my /etc/hosts file


[root@KingKong ~]# nl /etc/host.conf

**** 1*** multi on

**** 2*** order hosts,bind


hostname command reply the full "fqdn" if I
choose the option --all-fqdn, contrary to
the option "--fqdn". The reply is just my
hostname without the domain. By the way, if
I say

#hostname KingKong.mydomain.com


Eveything is now good for my hostname but I
can not launch my 389-console. I think the
adress to connect is not ok... I do not know
if this problem is linked to the previous
problems...



So, I do #hostname KingKong

Then, I launch the console again. Now, if I
try to initiate a full synchronization, I
can see (and I am still stuck on it) the
window "please wait while data is being
synchronized...", but nothing else... Data
are not synchronized and I do not see
anything in my Windows event viewer while
replica agreement seems to be ok and
PassSync service is installed...



It is very difficult to change your hostname
after you have configured the admin server and
console.* I suggest starting over from scratch,
and first make sure your hostname is correct.



I also suggest using http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync
to configure Windows Sync.






Thanks for help,



-Regards



2011/1/21 Rich
Megginson <rmeggins@redhat.com>




Date:

Fri, 21 Jan 2011 10:25:56 +0100




To:
"General discussion list for
the 389 Directory server
project." <389-users@lists.fedoraproject.org>





Hi Rich,



Thanks for this usefull link.



I have successfully initiate
replica between Windows AD and my
server 389-DS. Ldapsearch is
working. But even if everything
seems to be ok, the update does
not work and I do not see any
error in the log files... So, my
AD server stay empty, the accounts
are not migrate...



Here you have my access log file
which is more verbose... (mydomain.com
for the example) :

<snip>

Obviously I am
connecting to the server 389-DS
itself whereas it can resolve the
DNS name of my Windows server...
There is no error in the AD event
viewer while I could see errors on
it when it was misconfigured
(like DirSync errors)... So,
basically, the Windows server is
contacted to my DS-Server over 2
different networks.



Do you think I have to open the
ports described in my message ?



-Regards.
I don't know.* There is no winsync
information in the access log.* Note
that the access log records client
accesses to the directory server, and
in winsync, the directory server
itself acts as a client to AD, so
winsync will log nothing in the access
log.* The errors log could be helpful,
and especially using the replication
log level (which is also used for
winsync logging).* The Windows Event
Viewer is useless for winsync issues.






























--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 08:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org