<div dir="ltr"><div>Already set nsslapd:sceruity off on server 1 <> server 2</div><div><br></div><div>BUt still produce error on replication. Is it possible to ignore any cert / start tLS ? </div><div><br></div><div>/var/log/dirsrv/slapd-PKI-IPA</div><div>[28/Apr/2016:16:51:15 +0800] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)</div><div><br></div><div>[26/Apr/2016:18:35:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-04-28 16:15 GMT+08:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000"><span>
    <br>
    <br>
    <div>On 28.04.2016 08:00, Barry wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div>NOT work tried ..cannot bind the command 389 or 636 ,,,but
          telnet work</div>
        <div><br>
        </div>
        <div>EOFnsslapd-security: offreplace:
          nsslapd-securitychangetype: modifydn: cn=configldapmodify -h
          ms -p 636 -D cn="Directory Manager" -w  << EOF</div>
        <div><br>
        </div>
        <div>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</div>
        <div><br>
        </div>
      </div>
    </blockquote></span>
    can you please try to put FQDN name of LDAP server to option -h ?<br>
    I have doubts that -h 'ms' is server name<span class="HOEnZb"><font color="#888888"><br>
    <br>
    Martin</font></span><div><div class="h5"><br>
    <br>
    <blockquote type="cite">
      <div class="gmail_extra"><br>
        <div class="gmail_quote">2016-04-27 19:29 GMT+08:00 <span dir="ltr"><<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
            <p dir="ltr">thx let me try as i dont want stop dirsrv but
              live disable nsslapd security.</p>
            <div>
              <div>
                <div class="gmail_quote">2016年4月27日 下午7:26 於 "David
                  Kupka" <<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>
                  寫道：<br type="attribution">
                  <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">On
                    27/04/16 13:15, <a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
                      Do u meant use ldapmodify?<br>
                      I tried update the dse.ldif but it will fall back
                      after a while.<br>
                      <br>
                      2016年4月27日 下午7:10 於 "David Kupka" <<a href="mailto:dkupka@redhat.com" target="_blank"><a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a><br>
                      <mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>>
                      寫道：<br>
                      <br>
                          On 27/04/16 12:48, <a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>
                      <mailto:<a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a>>
                      wrote:<br>
                      <br>
                              Hi:<br>
                      <br>
                              Without restarting dirsrv possible do that
                      ?<br>
                      <br>
                      <br>
                              thx Regards<br>
                      <br>
                              barry<br>
                      <br>
                      <br>
                      <br>
                      <br>
                          Hello Barry,<br>
                      <br>
                          this ldapsearch should list all attributes
                      that needs restart after<br>
                          modification:<br>
                      <br>
                          $ ldapsearch -D "cn=Directory Manager" -w
                      Secret123 -b cn=config<br>
                          nsslapd-requiresrestart<br>
                      <br>
                          I don't see nsslapd-security listed so it
                      should be possible to change it in<br>
                          runtime.<br>
                      <br>
                          --<br>
                          David Kupka<br>
                      <br>
                    </a></blockquote>
                    <br>
                    Yes, I mean ldapmodify.<br>
                    <br>
                    Editing dse.ldif while dirsrv is running has no
                    effect because it is read only at start and written
                    at least before exit.<br>
                    <br>
                    If you REALLY need to edit dse.ldif be sure to stop
                    dirsrv then edit it and start dirsrv again.<br>
                    <br>
                    -- <br>
                    David Kupka<br>
                  </blockquote>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>