[Freeipa-users] Command-line replication is not works in FreeIPA-Master
Mark Reynolds
mareynol at redhat.com
Wed Aug 31 16:30:17 UTC 2016
Hi Andrey,
It looks like you still did not create the replication manager entry.
You must create that manager entry on the standalone server. Please
read the link I sent you:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html
<https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html>
You can verify its existence by doing this search against the standalone
server:
ldapsearch -h ldap1.example.com <http://ldap1.example.com> -p 389 -xLLL
-D "cn=directory manager" -W -b cn=config "cn=replication manager"
Mark
On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
> Hi!
> Thank you for fast reply.
> Yes, I want use standalone 389DS to replica from FreeIPA.
> There is my replica:
> filter: (objectclass=nsds5replica)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (objectclass=nsds5replica)
> # requesting: ALL
> #
>
> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> objectClass: top
> objectClass: nsds5replica
> objectClass: extensibleObject
> cn: replica
> nsDS5ReplicaRoot: dc=example,dc=com
> nsDS5ReplicaId: 7
> nsDS5ReplicaType: 3
> nsDS5Flags: 1
> nsds5ReplicaPurgeDelay: 604800
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
> nsds5ReplicaChangeCount: 22
> nsds5replicareapactive: 0
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> So, my replica have entry "cn=replication manager"
>
> But I try add entry in agreement. Unforthunalty this is not help,
> error is present:
> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com
> <http://ldap1.example.com> -p 389 -D "cn=directory manager" -w ...
> ldap_initialize( ldap://ldap1.example.com:389
> <http://ldap1.example.com:389> )
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5ReplicaBindDN
> nsds5ReplicaBindDN: cn=replication manager,cn=config
> replace nsds5ReplicaBindDN:
> cn=replication manager,cn=config
> modifying entry
> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config"
> modify complete
>
> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin -
> schema-compat-plugin tree scan will start in about 5 seconds!
> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636
> for LDAPS requests
> [31/Aug/2016:11:11:09 +0000] - Listening on
> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no
> entries set up under ou=sudoers,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no
> entries set up under cn=computers, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
> initialization.
> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind
> id [cn=replication manager] authentication mechanism [SIMPLE]: error
> 32 (No such object) errno 0 (Success)
> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE
> auth failed: LDAP error 32 (No such object) ()
> ^C
> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com
> <http://ldap1.example.com> -p 389 -D "cn=directory manager" -w ...
> ldap_initialize( ldap://ldap1.example.com:389
> <http://ldap1.example.com:389> )
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5beginreplicarefresh
> nsds5beginreplicarefresh: start
> replace nsds5beginreplicarefresh:
> start
> modifying entry
> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config"
> modify complete
>
> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636
> for LDAPS requests
> [31/Aug/2016:11:11:09 +0000] - Listening on
> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no
> entries set up under ou=sudoers,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no
> entries set up under cn=computers, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
> initialization.
> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind
> id [cn=replication manager] authentication mechanism [SIMPLE]: error
> 32 (No such object) errno 0 (Success)
> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE
> auth failed: LDAP error 32 (No such object) ()
> [31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not bind
> id [cn=replication manager,cn=config] authentication mechanism
> [SIMPLE]: error 32 (No such object) errno 0 (Success)
> ^C
> [root at ldap1 ~]#
>
>
> 2016-08-31 18:15 GMT+03:00 Mark Reynolds <mareynol at redhat.com
> <mailto:mareynol at redhat.com>>:
>
>
>
> On 08/31/2016 09:50 AM, Andrey Rogovsky wrote:
>> Hi!
>>
>> I try configure manual replica from FreeIPA DS to 389 DS.
>> I have two VM: ldap1.example.com <http://ldap1.example.com> and
>> ldap2.example.com <http://ldap2.example.com>
>> I was used this
>> manual https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html
>> <https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html>
>> for configure relica
>>
>> There was replica agreement before starting:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=config> with scope subtree
>> # filter: (objectclass=nsds5ReplicationAgreement)
>> # requesting: ALL
>> #
>>
>> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping
>> tree, config
>> dn:
>> cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
>> tree,
>> cn=config
>> objectClass: top
>> objectClass: nsds5replicationagreement
>> cn: ExampleAgreement
>> nsDS5ReplicaHost: ldap2
>> nsDS5ReplicaPort: 389
>> nsDS5ReplicaBindDN: cn=replication manager
>> nsDS5ReplicaBindMethod: SIMPLE
>> nsDS5ReplicaRoot: dc=example,dc=com
>> description: agreement between supplier1 and consumer1
>> nsDS5ReplicaUpdateSchedule: 0000-0500 1
>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
>> authorityRevocationLis
>> t
>> nsDS5ReplicaCredentials:
>> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
>> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
>> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQUVJckpINmE0S3RFYl
>> NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg==
>> nsds5replicareapactive: 0
>> nsds5replicaLastUpdateStart: 19700101000000Z
>> nsds5replicaLastUpdateEnd: 19700101000000Z
>> nsds5replicaChangesSentSinceStartup:
>> nsds5replicaLastUpdateStatus: 0 No replication sessions started
>> since server s
>> tartup
>> nsds5replicaUpdateInProgress: FALSE
>> nsds5replicaLastInitStart: 19700101000000Z
>> nsds5replicaLastInitEnd: 19700101000000Z
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries:
>>
>>
>> There is errors which I get when start replica:
>>
>>
>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com
>> <http://ldap1.example.com> -p 389 -D "cn=directory manager" -w ...
>> ldap_initialize( ldap://ldap1.example.com:389
>> <http://ldap1.example.com:389> )
>> dn:
>> cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config
>> changetype: modify
>> replace: nsds5beginreplicarefresh
>> nsds5beginreplicarefresh: start
>> replace nsds5beginreplicarefresh:
>> start
>> modifying entry
>> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config"
>> modify complete
>>
>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin -
>> schema-compat-plugin tree scan will start in about 5 seconds!
>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port
>> 636 for LDAPS requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on
>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no
>> entries set up under ou=sudoers,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no
>> entries set up under cn=ng, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no
>> entries set up under cn=computers, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished
>> plugin initialization.
>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not
>> bind id [cn=replication manager] authentication mechanism
>> [SIMPLE]: error 32 (No such object) errno 0 (Success)
>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with
>> SIMPLE auth failed: LDAP error 32 (No such object) ()
>> ^C
> I'm assuming this is just a standalone 389 Directory Server you
> are trying to replicate to(not a freeIPA installation). If it is
> a freeipa installation, then you should use the freeipa CLI for
> setting up replication.
>
> The error 32 (no such object) you are getting is because the
> replica does not have an entry "cn=replication manager". Looking
> at the replication agreement:
>
> nsDS5ReplicaBindDN: cn=replication manager
>
> This is not a valid DN as there is no base suffix: For example, I
> would expect to see something like "cn=replication manager,cn=config"
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html
> <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html>
>
> Regards,
> Mark
>>
>> Please help me fix this
>>
>>
>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160831/6b565dcf/attachment.htm>
More information about the Freeipa-users
mailing list