[Freeipa-users] Failed to setup replica, slapi_ldap_bind fails
Ludwig Krispenz
lkrispen at redhat.com
Fri Feb 12 14:22:07 UTC 2016
On 02/12/2016 03:06 PM, Filip Pytloun wrote:
> Hello,
>
> even when enabling replication logging, I get nothing useful in logs:
>
> [12/Feb/2016:14:57:00 +0100] NSMMReplicationPlugin - agmt="cn=meToidm02.tcpcloud.eu" (idm02:389): Trying secure startTLS slapi_ldap_init_ext
> [12/Feb/2016:14:57:00 +0100] NSMMReplicationPlugin - agmt="cn=meToidm02.tcpcloud.eu" (idm02:389): binddn = cn=replication manager,cn=config, passwd = {AES-some_encrypted_password
> [12/Feb/2016:14:57:01 +0100] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)
> [12/Feb/2016:14:57:01 +0100] NSMMReplicationPlugin - agmt="cn=meToidm02.tcpcloud.eu" (idm02:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) ((unknown error code))
> [12/Feb/2016:14:57:01 +0100] NSMMReplicationPlugin - agmt="cn=meToidm02.tcpcloud.eu" (idm02:389): Disconnected from the consumer
what is in the access and error logs of idm02 for this time ?
>
> But I can bind just fine manually:
>
> ldapsearch -D "cn=replication manager,cn=config" -w some_password -b cn=config -h idm02 -ZZ
>
> I am starting to be clueless, nobody has an idea what could be wrong?
>
> - DNS including PTR records are set up fine
> - /etc/hosts is setup fine
> - conncheck passes fine between nodes
> - I can bind manually just fine
>
> On 2016/02/08 18:05, Filip Pytloun wrote:
>> Hello,
>>
>> I have a weird issue setting up FreeIPA replica. Conncheck passes fine
>> but at the end of ipa-replica-install I always get following error:
>>
>> slapi_ldap_bind -Error: could not send startTLS request: error -11
>> (Connect error) errno 0 (Success)
>>
>> on both master and replica without any further explanation in logs.
>>
>> /etc/ldap.conf is correctly setup before ipa-replica-install and IPA CA
>> certificate is installed in system CA bundle so TLS should work just
>> fine.
>>
>> Also I can manually connect just fine from replica to master and back so
>> it's not a network or LDAP client issue.
>>
>> Replica agreement looks like this: http://pastebin.com/FT3p3KUk
>>
>> freeipa-server 4.1.4
>> 389-ds 1.3.4.5
>>
>> Has anyone idea where to look at?
>>
>> Filip
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160212/1d0e2102/attachment.htm>
More information about the Freeipa-users
mailing list