[Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
Rich Megginson
rmeggins at redhat.com
Fri May 15 22:10:10 UTC 2015
On 05/15/2015 03:09 PM, nathan at nathanpeters.com wrote:
>> On 05/14/2015 11:33 PM, nathan at nathanpeters.com wrote:
>>>>> [root at ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>>> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
>>>>> supersecretpassword --passsync supersecretpassword --cacert
>>>>> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
>>>>> Directory Manager password:
>>>>>
>>>>> Added CA certificate /etc/openldap/cacerts/addc2-test.cer to
>>>>> certificate
>>>>> database for ipadc1.ipadomain.net
>>>>> ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net
>>>>> The user for the Windows PassSync service is
>>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
>>>>> Windows PassSync system account exists, not resetting password
>>>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>>>> .
>>>>> .
>>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP
>>>>> error: Connect error: start: 0: end: 0
>>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>>> Starting replication, please wait until this has completed.
>>>>>
>>>>> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP
>>>>> error:
>>>>> Connect error]
>>>> Have you tried using ldapsearch to verify the connection?
>>>>
>>>> # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ
>>>> -h
>>>> addc2.test.mycompany.net -D "cn=ad
>>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
>>>> "objectclass=*"
>>>>
>>>> and/or
>>>>
>>>> # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL
>>>> -ZZ -h addc2.test.mycompany.net -D "cn=ad
>>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
>>>> "objectclass=*"
>>>>
>>> Both commands give the same successful result. I don't think it's a
>>> problem with the credentials because I was able to generate different
>>> error messages during the attempted sync setup if I intentionally gave a
>>> bad password or username.
>> Ok. Have you tried enabling the replication log level?
>>
>> http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
> Ok, that helped a lot. I got this fixed now. Because the manual tells
> you to export the cert using a way that doesn't work on newer versions of
> windows, I tried to improvise and my first attempt exported the wrong
> cert.
>
> The correct way is to go to mmc.exe and add the certificates snap-in.
> Then go to personal certificates store for the machine account and export
> the one that has -CA at the end of it in the issued to column.
>
> Now that the correct certificate was exported, replication succeeded. The
> docs should be updated though to reflect the proper way to export.
>
I will file a doc bug. What version of Windows are you using that does
not have the correct instructions?
More information about the Freeipa-users
mailing list