[Freeipa-users] Command-line replication is not works in FreeIPA-Master
Andrey Rogovsky
a.rogovsky at gmail.com
Wed Aug 31 16:39:35 UTC 2016
Hi, Mark!
Thanks for explain. Now I create replication manager: (I hope)
[root at ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D
"cn=directory manager" -W -b cn=config "cn=replication manager"
Enter LDAP Password:
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword::
e1NTSEF9N1JiRmNXWTFXNDA1cmdYSUdCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
=
What is next? I use manual from 8 version and this a bit obsoleted.
2016-08-31 19:30 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
> Hi Andrey,
>
> It looks like you still did not create the replication manager entry.
> You must create that manager entry on the standalone server. Please read
> the link I sent you:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
> ory_Server/10/html/Administration_Guide/Creating_the_
> Supplier_Bind_DN_Entry.html
>
> You can verify its existence by doing this search against the standalone
> server:
>
> ldapsearch -h ldap1.example.com -p 389 -xLLL -D "cn=directory manager" -W
> -b cn=config "cn=replication manager"
>
> Mark
>
>
> On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
>
> Hi!
> Thank you for fast reply.
> Yes, I want use standalone 389DS to replica from FreeIPA.
> There is my replica:
> filter: (objectclass=nsds5replica)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (objectclass=nsds5replica)
> # requesting: ALL
> #
>
> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> objectClass: top
> objectClass: nsds5replica
> objectClass: extensibleObject
> cn: replica
> nsDS5ReplicaRoot: dc=example,dc=com
> nsDS5ReplicaId: 7
> nsDS5ReplicaType: 3
> nsDS5Flags: 1
> nsds5ReplicaPurgeDelay: 604800
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
> nsds5ReplicaChangeCount: 22
> nsds5replicareapactive: 0
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> So, my replica have entry "cn=replication manager"
>
> But I try add entry in agreement. Unforthunalty this is not help, error is
> present:
> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
> "cn=directory manager" -w ...
> ldap_initialize( ldap://ldap1.example.com:389 )
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5ReplicaBindDN
> nsds5ReplicaBindDN: cn=replication manager,cn=config
> replace nsds5ReplicaBindDN:
> cn=replication manager,cn=config
> modifying entry "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config"
> modify complete
>
> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin
> tree scan will start in about 5 seconds!
> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All Interfaces
> port 389 for LDAP requests
> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
> LDAPS requests
> [31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket
> for LDAPI requests
> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
> set up under ou=sudoers,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
> set up under cn=ng, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
> set up under cn=computers, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
> initialization.
> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
> such object) errno 0 (Success)
> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
> failed: LDAP error 32 (No such object) ()
> ^C
> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
> "cn=directory manager" -w ...
> ldap_initialize( ldap://ldap1.example.com:389 )
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5beginreplicarefresh
> nsds5beginreplicarefresh: start
> replace nsds5beginreplicarefresh:
> start
> modifying entry "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config"
> modify complete
>
> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All Interfaces
> port 389 for LDAP requests
> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
> LDAPS requests
> [31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket
> for LDAPI requests
> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
> set up under ou=sudoers,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
> set up under cn=ng, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
> set up under cn=computers, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
> initialization.
> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
> such object) errno 0 (Success)
> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
> failed: LDAP error 32 (No such object) ()
> [31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not bind id
> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
> 32 (No such object) errno 0 (Success)
> ^C
> [root at ldap1 ~]#
>
>
> 2016-08-31 18:15 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
>
>>
>>
>> On 08/31/2016 09:50 AM, Andrey Rogovsky wrote:
>>
>> Hi!
>>
>> I try configure manual replica from FreeIPA DS to 389 DS.
>> I have two VM: ldap1.example.com and ldap2.example.com
>> I was used this manual https://www.centos.org/
>> docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-
>> Replication-cmd.html for configure relica
>>
>> There was replica agreement before starting:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=config> with scope subtree
>> # filter: (objectclass=nsds5ReplicationAgreement)
>> # requesting: ALL
>> #
>>
>> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>> dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
>> tree,
>> cn=config
>> objectClass: top
>> objectClass: nsds5replicationagreement
>> cn: ExampleAgreement
>> nsDS5ReplicaHost: ldap2
>> nsDS5ReplicaPort: 389
>> nsDS5ReplicaBindDN: cn=replication manager
>> nsDS5ReplicaBindMethod: SIMPLE
>> nsDS5ReplicaRoot: dc=example,dc=com
>> description: agreement between supplier1 and consumer1
>> nsDS5ReplicaUpdateSchedule: 0000-0500 1
>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
>> authorityRevocationLis
>> t
>> nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQ
>> m1NRVVHQ1NxR1NJYjNEUUVG
>> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmk
>> wek5qRmxNalkxWkFBQ
>> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJC
>> QUVJckpINmE0S3RFYl
>> NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg==
>> nsds5replicareapactive: 0
>> nsds5replicaLastUpdateStart: 19700101000000Z
>> nsds5replicaLastUpdateEnd: 19700101000000Z
>> nsds5replicaChangesSentSinceStartup:
>> nsds5replicaLastUpdateStatus: 0 No replication sessions started since
>> server s
>> tartup
>> nsds5replicaUpdateInProgress: FALSE
>> nsds5replicaLastInitStart: 19700101000000Z
>> nsds5replicaLastInitEnd: 19700101000000Z
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries:
>>
>>
>> There is errors which I get when start replica:
>>
>>
>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
>> "cn=directory manager" -w ...
>> ldap_initialize( ldap://ldap1.example.com:389 )
>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config
>> changetype: modify
>> replace: nsds5beginreplicarefresh
>> nsds5beginreplicarefresh: start
>> replace nsds5beginreplicarefresh:
>> start
>> modifying entry "cn=ExampleAgreement,cn=replic
>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
>> modify complete
>>
>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin
>> tree scan will start in about 5 seconds!
>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
>> LDAPS requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket
>> for LDAPI requests
>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
>> set up under ou=sudoers,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>> set up under cn=ng, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>> set up under cn=computers, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
>> initialization.
>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
>> such object) errno 0 (Success)
>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>> failed: LDAP error 32 (No such object) ()
>> ^C
>>
>> I'm assuming this is just a standalone 389 Directory Server you are
>> trying to replicate to(not a freeIPA installation). If it is a freeipa
>> installation, then you should use the freeipa CLI for setting up
>> replication.
>>
>> The error 32 (no such object) you are getting is because the replica does
>> not have an entry "cn=replication manager". Looking at the replication
>> agreement:
>>
>> nsDS5ReplicaBindDN: cn=replication manager
>>
>> This is not a valid DN as there is no base suffix: For example, I would
>> expect to see something like "cn=replication manager,cn=config"
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
>> ory_Server/10/html/Administration_Guide/Creating_the_
>> Supplier_Bind_DN_Entry.html
>>
>> Regards,
>> Mark
>>
>>
>> Please help me fix this
>>
>>
>>
>>
>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160831/2ee8f729/attachment.htm>
More information about the Freeipa-users
mailing list