[Freeipa-users] Command-line replication is not works in FreeIPA-Master
Mark Reynolds
mareynol at redhat.com
Wed Aug 31 17:09:44 UTC 2016
On 08/31/2016 12:39 PM, Andrey Rogovsky wrote:
> Hi, Mark!
>
> Thanks for explain. Now I create replication manager: (I hope)
> [root at ldap1 ~]# ldapsearch -h ldap1.example.com
> <http://ldap1.example.com> -p 389 -xLLL -D "cn=directory manager" -W
> -b cn=config "cn=replication manager"
> Enter LDAP Password:
> dn: cn=replication manager,cn=config
> objectClass: inetorgperson
> objectClass: person
> objectClass: top
> objectClass: organizationalPerson
> cn: replication manager
> sn: RM
> userPassword::
> e1NTSEF9N1JiRmNXWTFXNDA1cmdYSUdCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
> =
>
> What is next? I use manual from 8 version and this a bit obsoleted.
Now you should be able to initialize your standalone server by updating
the agreement on the ipa DS:
dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config
changetype: modify
replace: nsds5beginreplicarefresh
nsds5beginreplicarefresh: start
If something goes wrong let us know what's in the errors log again.
Mark
>
>
> 2016-08-31 19:30 GMT+03:00 Mark Reynolds <mareynol at redhat.com
> <mailto:mareynol at redhat.com>>:
>
> Hi Andrey,
>
> It looks like you still did not create the replication manager
> entry. You must create that manager entry on the standalone
> server. Please read the link I sent you:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html
> <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html>
>
> You can verify its existence by doing this search against the
> standalone server:
>
> ldapsearch -h ldap1.example.com <http://ldap1.example.com> -p 389
> -xLLL -D "cn=directory manager" -W -b cn=config "cn=replication
> manager"
>
> Mark
>
>
> On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
>> Hi!
>> Thank you for fast reply.
>> Yes, I want use standalone 389DS to replica from FreeIPA.
>> There is my replica:
>> filter: (objectclass=nsds5replica)
>> requesting: All userApplication attributes
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=config> with scope subtree
>> # filter: (objectclass=nsds5replica)
>> # requesting: ALL
>> #
>>
>> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>> objectClass: top
>> objectClass: nsds5replica
>> objectClass: extensibleObject
>> cn: replica
>> nsDS5ReplicaRoot: dc=example,dc=com
>> nsDS5ReplicaId: 7
>> nsDS5ReplicaType: 3
>> nsDS5Flags: 1
>> nsds5ReplicaPurgeDelay: 604800
>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>> nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
>> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
>> nsds5ReplicaChangeCount: 22
>> nsds5replicareapactive: 0
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> So, my replica have entry "cn=replication manager"
>>
>> But I try add entry in agreement. Unforthunalty this is not help,
>> error is present:
>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com
>> <http://ldap1.example.com> -p 389 -D "cn=directory manager" -w ...
>> ldap_initialize( ldap://ldap1.example.com:389
>> <http://ldap1.example.com:389> )
>> dn:
>> cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config
>> changetype: modify
>> replace: nsds5ReplicaBindDN
>> nsds5ReplicaBindDN: cn=replication manager,cn=config
>> replace nsds5ReplicaBindDN:
>> cn=replication manager,cn=config
>> modifying entry
>> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config"
>> modify complete
>>
>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin -
>> schema-compat-plugin tree scan will start in about 5 seconds!
>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port
>> 636 for LDAPS requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on
>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no
>> entries set up under ou=sudoers,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no
>> entries set up under cn=ng, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no
>> entries set up under cn=computers, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished
>> plugin initialization.
>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not
>> bind id [cn=replication manager] authentication mechanism
>> [SIMPLE]: error 32 (No such object) errno 0 (Success)
>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with
>> SIMPLE auth failed: LDAP error 32 (No such object) ()
>> ^C
>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com
>> <http://ldap1.example.com> -p 389 -D "cn=directory manager" -w ...
>> ldap_initialize( ldap://ldap1.example.com:389
>> <http://ldap1.example.com:389> )
>> dn:
>> cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config
>> changetype: modify
>> replace: nsds5beginreplicarefresh
>> nsds5beginreplicarefresh: start
>> replace nsds5beginreplicarefresh:
>> start
>> modifying entry
>> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config"
>> modify complete
>>
>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port
>> 636 for LDAPS requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on
>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no
>> entries set up under ou=sudoers,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no
>> entries set up under cn=ng, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no
>> entries set up under cn=computers, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished
>> plugin initialization.
>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not
>> bind id [cn=replication manager] authentication mechanism
>> [SIMPLE]: error 32 (No such object) errno 0 (Success)
>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with
>> SIMPLE auth failed: LDAP error 32 (No such object) ()
>> [31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not
>> bind id [cn=replication manager,cn=config] authentication
>> mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success)
>> ^C
>> [root at ldap1 ~]#
>>
>>
>> 2016-08-31 18:15 GMT+03:00 Mark Reynolds <mareynol at redhat.com
>> <mailto:mareynol at redhat.com>>:
>>
>>
>>
>> On 08/31/2016 09:50 AM, Andrey Rogovsky wrote:
>>> Hi!
>>>
>>> I try configure manual replica from FreeIPA DS to 389 DS.
>>> I have two VM: ldap1.example.com <http://ldap1.example.com>
>>> and ldap2.example.com <http://ldap2.example.com>
>>> I was used this
>>> manual https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html
>>> <https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html>
>>> for configure relica
>>>
>>> There was replica agreement before starting:
>>>
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=config> with scope subtree
>>> # filter: (objectclass=nsds5ReplicationAgreement)
>>> # requesting: ALL
>>> #
>>>
>>> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom,
>>> mapping tree, config
>>> dn:
>>> cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
>>> tree,
>>> cn=config
>>> objectClass: top
>>> objectClass: nsds5replicationagreement
>>> cn: ExampleAgreement
>>> nsDS5ReplicaHost: ldap2
>>> nsDS5ReplicaPort: 389
>>> nsDS5ReplicaBindDN: cn=replication manager
>>> nsDS5ReplicaBindMethod: SIMPLE
>>> nsDS5ReplicaRoot: dc=example,dc=com
>>> description: agreement between supplier1 and consumer1
>>> nsDS5ReplicaUpdateSchedule: 0000-0500 1
>>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
>>> authorityRevocationLis
>>> t
>>> nsDS5ReplicaCredentials:
>>> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
>>> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
>>> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQUVJckpINmE0S3RFYl
>>> NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg==
>>> nsds5replicareapactive: 0
>>> nsds5replicaLastUpdateStart: 19700101000000Z
>>> nsds5replicaLastUpdateEnd: 19700101000000Z
>>> nsds5replicaChangesSentSinceStartup:
>>> nsds5replicaLastUpdateStatus: 0 No replication sessions
>>> started since server s
>>> tartup
>>> nsds5replicaUpdateInProgress: FALSE
>>> nsds5replicaLastInitStart: 19700101000000Z
>>> nsds5replicaLastInitEnd: 19700101000000Z
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries:
>>>
>>>
>>> There is errors which I get when start replica:
>>>
>>>
>>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com
>>> <http://ldap1.example.com> -p 389 -D "cn=directory manager"
>>> -w ...
>>> ldap_initialize( ldap://ldap1.example.com:389
>>> <http://ldap1.example.com:389> )
>>> dn:
>>> cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>>> tree,cn=config
>>> changetype: modify
>>> replace: nsds5beginreplicarefresh
>>> nsds5beginreplicarefresh: start
>>> replace nsds5beginreplicarefresh:
>>> start
>>> modifying entry
>>> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>>> tree,cn=config"
>>> modify complete
>>>
>>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin -
>>> schema-compat-plugin tree scan will start in about 5 seconds!
>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on
>>> All Interfaces port 389 for LDAP requests
>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces
>>> port 636 for LDAPS requests
>>> [31/Aug/2016:11:11:09 +0000] - Listening on
>>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning:
>>> no entries set up under ou=sudoers,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning:
>>> no entries set up under cn=ng, cn=compat,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning:
>>> no entries set up under cn=computers,
>>> cn=compat,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished
>>> plugin initialization.
>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could
>>> not bind id [cn=replication manager] authentication
>>> mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success)
>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind
>>> with SIMPLE auth failed: LDAP error 32 (No such object) ()
>>> ^C
>> I'm assuming this is just a standalone 389 Directory Server
>> you are trying to replicate to(not a freeIPA installation).
>> If it is a freeipa installation, then you should use the
>> freeipa CLI for setting up replication.
>>
>> The error 32 (no such object) you are getting is because the
>> replica does not have an entry "cn=replication manager".
>> Looking at the replication agreement:
>>
>> nsDS5ReplicaBindDN: cn=replication manager
>>
>> This is not a valid DN as there is no base suffix: For
>> example, I would expect to see something like "cn=replication
>> manager,cn=config"
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html
>> <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html>
>>
>> Regards,
>> Mark
>>>
>>> Please help me fix this
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160831/57cc3f18/attachment.htm>
More information about the Freeipa-users
mailing list