[Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

nathan at nathanpeters.com nathan at nathanpeters.com
Fri May 15 21:09:26 UTC 2015 

> On 05/14/2015 11:33 PM, nathan at nathanpeters.com wrote:
>>>> [root at ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
>>>> supersecretpassword --passsync supersecretpassword --cacert
>>>> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
>>>> Directory Manager password:
>>>>
>>>> Added CA certificate /etc/openldap/cacerts/addc2-test.cer to
>>>> certificate
>>>> database for ipadc1.ipadomain.net
>>>> ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net
>>>> The user for the Windows PassSync service is
>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
>>>> Windows PassSync system account exists, not resetting password
>>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>>> .
>>>> .
>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP
>>>> error: Connect error: start: 0: end: 0
>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>> Starting replication, please wait until this has completed.
>>>>
>>>> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11  - LDAP
>>>> error:
>>>> Connect error]
>>> Have you tried using ldapsearch to verify the connection?
>>>
>>> # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ
>>> -h
>>> addc2.test.mycompany.net -D "cn=ad
>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
>>> "objectclass=*"
>>>
>>> and/or
>>>
>>> # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer  ldapsearch -xLLL
>>> -ZZ -h addc2.test.mycompany.net -D "cn=ad
>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
>>> "objectclass=*"
>>>
>> Both commands give the same successful result.  I don't think it's a
>> problem with the credentials because I was able to generate different
>> error messages during the attempted sync setup if I intentionally gave a
>> bad password or username.
>
> Ok.  Have you tried enabling the replication log level?
>
> http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting

Ok, that helped a lot.  I got this fixed now.  Because the manual tells
you to export the cert using a way that doesn't work on newer versions of
windows, I tried to improvise and my first attempt exported the wrong
cert.

The correct way is to go to mmc.exe and add the certificates snap-in. 
Then go to personal certificates store for the machine account and export
the one that has -CA at the end of it in the issued to column.

Now that the correct certificate was exported, replication succeeded.  The
docs should be updated though to reflect the proper way to export.

More information about the Freeipa-users mailing list