<div dir="ltr">Hi, Alexander!<div> </div><div>Thank for fast reply.</div><div>I have replication manager object:</div><div><div>filter: (objectclass=organizationalPerson)</div><div>requesting: All userApplication attributes</div><div># extended LDIF</div><div>#</div><div># LDAPv3</div><div># base <cn=config> with scope subtree</div><div># filter: (objectclass=organizationalPerson)</div><div># requesting: ALL</div><div>#</div><div> </div><div># replication manager, config</div><div>dn: cn=replication manager,cn=config</div><div>objectClass: inetorgperson</div><div>objectClass: person</div><div>objectClass: top</div><div>objectClass: organizationalPerson</div><div>cn: replication manager</div><div>sn: RM</div><div>userPassword:: e1NTSEF9d281RGZOTTlCSEVWTEhxY1lTcGs0WHdjRXplemU4S280S3EwWnc9PQ=</div><div> =</div><div> </div><div># search result</div><div>search: 2</div><div>result: 0 Success</div><div> </div><div># numResponses: 2</div><div># numEntries: 1</div></div><div> </div><div>But error is present.</div><div> </div><div> </div></div><div class="gmail_extra"> <div class="gmail_quote">2016-09-01 7:14 GMT+03:00 Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, 01 Sep 2016, Andrey Rogovsky wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi! Thanks for your advices! I'm try start replica and get this errors in log: [01/Sep/2016:03:24:23 +0000] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [01/Sep/2016:03:24:23 +0000] NSMMReplicationPlugin - agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () </blockquote> You've been told already that you should have replication manager object created at both sides. Your 'cn=replicaton manager,cn=config' does not exist at the replica. You should read RHDS Administration Guide, at least the part about supplier bind DN entry, but preferrably the whole chapter it is part of: <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html" rel="noreferrer" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html</a><div class="HOEnZb"><div class="h5"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> This is my current replica: filter: (objectclass=nsds5replica) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=nsds5replica) # requesting: ALL # # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaId: 7 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsState:: BwAAAAAAAADqnMdXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4 nsds5ReplicaChangeCount: 118 nsds5replicareapactive: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This is my current agreement: # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=nsds5ReplicationAgreement) # requesting: ALL # # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree, cn=config objectClass: top objectClass: nsds5replicationagreement cn: ExampleAgreement nsDS5ReplicaHost: ldap2 nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicaRoot: dc=example,dc=com description: agreement between supplier1 and consumer1 nsDS5ReplicaUpdateSchedule: 0000-0500 1 nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis t nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQU1Dc25vTkVzZVJ4b3 N2WVlEMXRpbQ==}a21h3uqnbcAZ1cX+NheCeg== nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 19700101000000Z nsds5replicaLastUpdateEnd: 19700101000000Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 No replication sessions started since server s tartup nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20160901032423Z nsds5replicaLastInitEnd: 19700101000000Z nsds5replicaLastInitStatus: 32 - LDAP error: No such object # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 I'm try delete agreement, replica, user, changelog and create again. This not help, same error: [01/Sep/2016:03:42:37 +0000] NSMMReplicationPlugin - agmt_delete: begin [01/Sep/2016:03:45:35 +0000] NSMMReplicationPlugin - replica_config_delete: Warning: The changelog for replica dc=example,dc=com is no longer valid since the replica config is being deleted. Removing the changelog. [01/Sep/2016:03:53:18 +0000] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [01/Sep/2016:03:53:18 +0000] NSMMReplicationPlugin - agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () 2016-08-31 20:09 GMT+03:00 Mark Reynolds <<a href="mailto:mareynol@redhat.com" target="_blank">mareynol@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 08/31/2016 12:39 PM, Andrey Rogovsky wrote: Hi, Mark! Thanks for explain. Now I create replication manager: (I hope) [root@ldap1 ~]# ldapsearch -h <a href="http://ldap1.example.com" rel="noreferrer" target="_blank">ldap1.example.com</a> -p 389 -xLLL -D "cn=directory manager" -W -b cn=config "cn=replication manager" Enter LDAP Password: dn: cn=replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top objectClass: organizationalPerson cn: replication manager sn: RM userPassword:: e1NTSEF9N1JiRmNXWTFXNDA1cmdYSU dCNWJtV3RzOElNQXBhakhXam94WlE9PQ= = What is next? I use manual from 8 version and this a bit obsoleted. Now you should be able to initialize your standalone server by updating the agreement on the ipa DS: dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify replace: nsds5beginreplicarefresh nsds5beginreplicarefresh: start If something goes wrong let us know what's in the errors log again. Mark 2016-08-31 19:30 GMT+03:00 Mark Reynolds <<a href="mailto:mareynol@redhat.com" target="_blank">mareynol@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi Andrey, It looks like you still did not create the replication manager entry. You must create that manager entry on the standalone server. Please read the link I sent you: <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Direct" rel="noreferrer" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Direct</a> ory_Server/10/html/Administration_Guide/Creating_the_Supplie r_Bind_DN_Entry.html You can verify its existence by doing this search against the standalone server: ldapsearch -h <a href="http://ldap1.example.com" rel="noreferrer" target="_blank">ldap1.example.com</a> -p 389 -xLLL -D "cn=directory manager" -W -b cn=config "cn=replication manager" Mark On 08/31/2016 11:50 AM, Andrey Rogovsky wrote: Hi! Thank you for fast reply. Yes, I want use standalone 389DS to replica from FreeIPA. There is my replica: filter: (objectclass=nsds5replica) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=nsds5replica) # requesting: ALL # # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaId: 7 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4 nsds5ReplicaChangeCount: 22 nsds5replicareapactive: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 So, my replica have entry "cn=replication manager" But I try add entry in agreement. Unforthunalty this is not help, error is present: [root@ldap1 ~]# ldapmodify -v -h <a href="http://ldap1.example.com" rel="noreferrer" target="_blank">ldap1.example.com</a> -p 389 -D "cn=directory manager" -w ... ldap_initialize( ldap://<a href="http://ldap1.example.com:389" rel="noreferrer" target="_blank">ldap1.example.com:389</a> ) dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify replace: nsds5ReplicaBindDN nsds5ReplicaBindDN: cn=replication manager,cn=config replace nsds5ReplicaBindDN: cn=replication manager,cn=config modifying entry "cn=ExampleAgreement,cn=replic a,cn="dc=example,dc=com",cn=mapping tree,cn=config" modify complete [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for LDAPS requests [31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=example,dc=com [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin initialization. [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () ^C [root@ldap1 ~]# ldapmodify -v -h <a href="http://ldap1.example.com" rel="noreferrer" target="_blank">ldap1.example.com</a> -p 389 -D "cn=directory manager" -w ... ldap_initialize( ldap://<a href="http://ldap1.example.com:389" rel="noreferrer" target="_blank">ldap1.example.com:389</a> ) dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify replace: nsds5beginreplicarefresh nsds5beginreplicarefresh: start replace nsds5beginreplicarefresh: start modifying entry "cn=ExampleAgreement,cn=replic a,cn="dc=example,dc=com",cn=mapping tree,cn=config" modify complete [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for LDAPS requests [31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=example,dc=com [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin initialization. [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () [31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) ^C [root@ldap1 ~]# 2016-08-31 18:15 GMT+03:00 Mark Reynolds <<a href="mailto:mareynol@redhat.com" target="_blank">mareynol@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 08/31/2016 09:50 AM, Andrey Rogovsky wrote: Hi! I try configure manual replica from FreeIPA DS to 389 DS. I have two VM: <a href="http://ldap1.example.com" rel="noreferrer" target="_blank">ldap1.example.com</a> and <a href="http://ldap2.example.com" rel="noreferrer" target="_blank">ldap2.example.com</a> I was used this manual <a href="https://www.centos.org/" rel="noreferrer" target="_blank">https://www.centos.org/</a> docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Repl ication-cmd.html for configure relica There was replica agreement before starting: # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=nsds5ReplicationAgreement) # requesting: ALL # # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree, cn=config objectClass: top objectClass: nsds5replicationagreement cn: ExampleAgreement nsDS5ReplicaHost: ldap2 nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=replication manager nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicaRoot: dc=example,dc=com description: agreement between supplier1 and consumer1 nsDS5ReplicaUpdateSchedule: 0000-0500 1 nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis t nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQ m1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmk wek5qRmxNalkxWkFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJC QUVJckpINmE0S3RFYl NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg== nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 19700101000000Z nsds5replicaLastUpdateEnd: 19700101000000Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 No replication sessions started since server s tartup nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 19700101000000Z nsds5replicaLastInitEnd: 19700101000000Z # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: There is errors which I get when start replica: [root@ldap1 ~]# ldapmodify -v -h <a href="http://ldap1.example.com" rel="noreferrer" target="_blank">ldap1.example.com</a> -p 389 -D "cn=directory manager" -w ... ldap_initialize( ldap://<a href="http://ldap1.example.com:389" rel="noreferrer" target="_blank">ldap1.example.com:389</a> ) dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify replace: nsds5beginreplicarefresh nsds5beginreplicarefresh: start replace nsds5beginreplicarefresh: start modifying entry "cn=ExampleAgreement,cn=replic a,cn="dc=example,dc=com",cn=mapping tree,cn=config" modify complete [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for LDAPS requests [31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=example,dc=com [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin initialization. [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () ^C I'm assuming this is just a standalone 389 Directory Server you are trying to replicate to(not a freeIPA installation). If it is a freeipa installation, then you should use the freeipa CLI for setting up replication. The error 32 (no such object) you are getting is because the replica does not have an entry "cn=replication manager". Looking at the replication agreement: nsDS5ReplicaBindDN: cn=replication manager This is not a valid DN as there is no base suffix: For example, I would expect to see something like "cn=replication manager,cn=config" <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Direct" rel="noreferrer" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Direct</a> ory_Server/10/html/Administration_Guide/Creating_the_Supplie r_Bind_DN_Entry.html Regards, Mark Please help me fix this </blockquote> </blockquote> </blockquote></blockquote> </div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote> -- / Alexander Bokovoy </blockquote></div> </div>