Created attachment 495309 [details] List of reserved words that AD can not have as a uid. Description of problem: There are a list of reserved UIDs within Active Directory which cannot be synchronized from RHDS to AD. If a uid within RHDS is equal to one of these values, the initialization of the AD consumer will fail to complete. Version-Release number of selected component (if applicable): RHDS 8.2 How reproducible: 100% Steps to Reproduce: 1. Create an account in an RHDS with a sync agreement to an AD consumer. 2. Enter one of the prohibited words that Active Directory won't allow to be a uid. 3. Initiate a full sync. Actual results: When the user in question is encountered, the following message appears in /var/log/dirsrv/slapd-<instance>/errors: [27/Apr/2011:13:04:42 -0500] NSMMReplicationPlugin - agmt="cn=ADSync" (huey:389): windows_tot_run: failed to obtain data to send to the consumer; LDAP error - -1 In our case, we used the uid "service". Expected results: I would like to see RHDS log the error however continue on with the initialization rather than aborting. Additional info:
In addition, it would be nice if RHDS could parse the entire database of users within it to determine if any of these words exist prior to a winsync init operation. If they exist, an alert should be generated. Would be nice to incorporate that into the syntax-validate.pl script as a caveat for Winsync.
Upstream ticket: https://fedorahosted.org/389/ticket/48
This was fixed in 389-ds-base-1.3.2.0-1.fc20.