[Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

Mon May 18 14:18:12 UTC 2015

On 05/16/2015 04:06 PM, Nathan Peters wrote:
> I have updated the bug report you filed below.
>
> The issue was that the instructions would only work in Windows Server 
> 2003 because My Network Places was removed in 2008 and above.  Since 
> the manual clearly states that the AD sync is to be performed with 
> server 2008 / 2012 only it made no sense to give instructions for an 
> incompatible version of windows.
>
> I have added to the ticket 2 methods to get the *correct* certificate 
> that will work in both server 2008 r2 and server 2012 r2.

I am cc'd on the bug and have seen all of the information you added.  
Thanks!

>
> On 05/15/2015 03:09 PM, nathan at nathanpeters.com wrote:
>>> On 05/14/2015 11:33 PM, nathan at nathanpeters.com wrote:
>>>>>> [root at ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>>>> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
>>>>>> supersecretpassword --passsync supersecretpassword --cacert
>>>>>> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
>>>>>> Directory Manager password:
>>>>>>
>>>>>> Added CA certificate /etc/openldap/cacerts/addc2-test.cer to
>>>>>> certificate
>>>>>> database for ipadc1.ipadomain.net
>>>>>> ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net
>>>>>> The user for the Windows PassSync service is
>>>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
>>>>>> Windows PassSync system account exists, not resetting password
>>>>>> ipa: INFO: Added new sync agreement, waiting for it to become 
>>>>>> ready .
>>>>>> .
>>>>>> .
>>>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11  - 
>>>>>> LDAP
>>>>>> error: Connect error: start: 0: end: 0
>>>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>>>> Starting replication, please wait until this has completed.
>>>>>>
>>>>>> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11  - LDAP
>>>>>> error:
>>>>>> Connect error]
>>>>> Have you tried using ldapsearch to verify the connection?
>>>>>
>>>>> # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ
>>>>> -h
>>>>> addc2.test.mycompany.net -D "cn=ad
>>>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>>>> "supersecretpassword" -s base -b 
>>>>> "cn=Users,dc=test,dc=mycompany,dc=net"
>>>>> "objectclass=*"
>>>>>
>>>>> and/or
>>>>>
>>>>> # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch 
>>>>> -xLLL
>>>>> -ZZ -h addc2.test.mycompany.net -D "cn=ad
>>>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>>>> "supersecretpassword" -s base -b 
>>>>> "cn=Users,dc=test,dc=mycompany,dc=net"
>>>>> "objectclass=*"
>>>>>
>>>> Both commands give the same successful result.  I don't think it's a
>>>> problem with the credentials because I was able to generate different
>>>> error messages during the attempted sync setup if I intentionally 
>>>> gave a
>>>> bad password or username.
>>> Ok.  Have you tried enabling the replication log level?
>>>
>>> http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
>> Ok, that helped a lot.  I got this fixed now.  Because the manual tells
>> you to export the cert using a way that doesn't work on newer 
>> versions of
>> windows, I tried to improvise and my first attempt exported the wrong
>> cert.
>>
>> The correct way is to go to mmc.exe and add the certificates snap-in.
>> Then go to personal certificates store for the machine account and 
>> export
>> the one that has -CA at the end of it in the issued to column.
>>
>> Now that the correct certificate was exported, replication 
>> succeeded.  The
>> docs should be updated though to reflect the proper way to export.
>>
> https://bugzilla.redhat.com/show_bug.cgi?id=1222161
>
> Please add yourself to the bug and provide any additional information.