[Freeipa-devel] LDAP errors in the dirsrv logs during replica preparation

thierry bordaz tbordaz at redhat.com
Fri Jun 19 14:51:08 UTC 2015 

On 06/19/2015 04:27 PM, Oleg Fayans wrote:
> Hi everybody,
>
> While preparing the replica files on the latest IPA master I've 
> noticed the following error messages in the dirsrv error log:
>
> [19/Jun/2015:15:26:10 +0200] NSMMReplicationPlugin - 
> agmt="cn=masterAgreement1-vm-244.idm.lab.eng.brq.redhat.com-pki-tomcat" (vm-244:389): 
> Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact 
> LDAP server) ()
> [19/Jun/2015:15:26:10 +0200] - Entry "uid=admin,ou=people,o=ipaca" -- 
> attribute "krbExtraData" not allowed

Hi Oleg,

Here this message is about a problem of schema. 'krbPrincipalAux' is 
needed objectclass to get 'krbExtraData', but the 
"uid=admin,ou=people,o=ipaca"
has not this oc

ldapsearch -LLL -D "cn=directory manager" -w Secret123 -b "o=ipaca" 
uid=admin objectclass
dn: uid=admin,ou=people,o=ipaca
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: cmsuser

Should ipaca admin be a kerberosed entry ?

thanks
thierry
> [19/Jun/2015:15:26:13 +0200] slapi_ldap_bind - Error: could not send 
> startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success)
>
> Though the stdout of the replica preparation reports success, when I 
> later use the resulting gpg file to actually setup a replica the setup 
> process fails with the following output:
>
> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
>   [1/8]: adding sasl mappings to the directory
>   [2/8]: configuring KDC
>   [3/8]: creating a keytab for the directory
>   [4/8]: creating a keytab for the machine
>   [5/8]: adding the password extension to the directory
>   [6/8]: enable GSSAPI for replication
>   [error] RuntimeError: One of the ldap service principals is missing. 
> Replication agreement cannot be converted.
> Replication error message: Unable to acquire replicaLDAP error: No 
> such object
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    One of the 
> ldap service principals is missing. Replication agreement cannot be 
> converted.
> Replication error message: Unable to acquire replicaLDAP error: No 
> such object
>
> The corresponding part of the ipareplica-install.log is attached
>
> I've encountered this already twice. The strangest part is that I 
> prepared 3 replicas simultaneously: 2 of them installed successfully 
> and one - failed. All three replicas were launched from the same 
> vm-template
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150619/11488c54/attachment.htm>

More information about the Freeipa-devel mailing list