[Freeipa-users] Command-line replication is not works in FreeIPA-Master
Andrey Rogovsky
a.rogovsky at gmail.com
Thu Sep 1 03:55:50 UTC 2016
Hi!
Thanks for your advices!
I'm try start replica and get this errors in log:
[01/Sep/2016:03:24:23 +0000] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
[01/Sep/2016:03:24:23 +0000] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()
This is my current replica:
filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=nsds5replica)
# requesting: ALL
#
# replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaId: 7
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsState:: BwAAAAAAAADqnMdXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
nsds5ReplicaChangeCount: 118
nsds5replicareapactive: 0
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This is my current agreement:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=nsds5ReplicationAgreement)
# requesting: ALL
#
# ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,
cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: ExampleAgreement
nsDS5ReplicaHost: ldap2
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=example,dc=com
description: agreement between supplier1 and consumer1
nsDS5ReplicaUpdateSchedule: 0000-0500 1
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
authorityRevocationLis
t
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQU1Dc25vTkVzZVJ4b3
N2WVlEMXRpbQ==}a21h3uqnbcAZ1cX+NheCeg==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 19700101000000Z
nsds5replicaLastUpdateEnd: 19700101000000Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 No replication sessions started since
server s
tartup
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20160901032423Z
nsds5replicaLastInitEnd: 19700101000000Z
nsds5replicaLastInitStatus: 32 - LDAP error: No such object
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm try delete agreement, replica, user, changelog and create again. This
not help, same error:
[01/Sep/2016:03:42:37 +0000] NSMMReplicationPlugin - agmt_delete: begin
[01/Sep/2016:03:45:35 +0000] NSMMReplicationPlugin - replica_config_delete:
Warning: The changelog for replica dc=example,dc=com is no longer valid
since the replica config is being deleted. Removing the changelog.
[01/Sep/2016:03:53:18 +0000] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
[01/Sep/2016:03:53:18 +0000] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()
2016-08-31 20:09 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
>
>
> On 08/31/2016 12:39 PM, Andrey Rogovsky wrote:
>
> Hi, Mark!
>
> Thanks for explain. Now I create replication manager: (I hope)
> [root at ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D
> "cn=directory manager" -W -b cn=config "cn=replication manager"
> Enter LDAP Password:
> dn: cn=replication manager,cn=config
> objectClass: inetorgperson
> objectClass: person
> objectClass: top
> objectClass: organizationalPerson
> cn: replication manager
> sn: RM
> userPassword:: e1NTSEF9N1JiRmNXWTFXNDA1cmdYSU
> dCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
> =
>
> What is next? I use manual from 8 version and this a bit obsoleted.
>
> Now you should be able to initialize your standalone server by updating
> the agreement on the ipa DS:
>
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5beginreplicarefresh
> nsds5beginreplicarefresh: start
>
> If something goes wrong let us know what's in the errors log again.
>
> Mark
>
>
>
> 2016-08-31 19:30 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
>
>> Hi Andrey,
>>
>> It looks like you still did not create the replication manager entry.
>> You must create that manager entry on the standalone server. Please read
>> the link I sent you:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
>> ory_Server/10/html/Administration_Guide/Creating_the_Supplie
>> r_Bind_DN_Entry.html
>>
>> You can verify its existence by doing this search against the standalone
>> server:
>>
>> ldapsearch -h ldap1.example.com -p 389 -xLLL -D "cn=directory manager"
>> -W -b cn=config "cn=replication manager"
>>
>> Mark
>>
>>
>> On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
>>
>> Hi!
>> Thank you for fast reply.
>> Yes, I want use standalone 389DS to replica from FreeIPA.
>> There is my replica:
>> filter: (objectclass=nsds5replica)
>> requesting: All userApplication attributes
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=config> with scope subtree
>> # filter: (objectclass=nsds5replica)
>> # requesting: ALL
>> #
>>
>> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>> objectClass: top
>> objectClass: nsds5replica
>> objectClass: extensibleObject
>> cn: replica
>> nsDS5ReplicaRoot: dc=example,dc=com
>> nsDS5ReplicaId: 7
>> nsDS5ReplicaType: 3
>> nsDS5Flags: 1
>> nsds5ReplicaPurgeDelay: 604800
>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>> nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
>> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
>> nsds5ReplicaChangeCount: 22
>> nsds5replicareapactive: 0
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> So, my replica have entry "cn=replication manager"
>>
>> But I try add entry in agreement. Unforthunalty this is not help, error
>> is present:
>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
>> "cn=directory manager" -w ...
>> ldap_initialize( ldap://ldap1.example.com:389 )
>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config
>> changetype: modify
>> replace: nsds5ReplicaBindDN
>> nsds5ReplicaBindDN: cn=replication manager,cn=config
>> replace nsds5ReplicaBindDN:
>> cn=replication manager,cn=config
>> modifying entry "cn=ExampleAgreement,cn=replic
>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
>> modify complete
>>
>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin
>> tree scan will start in about 5 seconds!
>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
>> LDAPS requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket
>> for LDAPI requests
>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
>> set up under ou=sudoers,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>> set up under cn=ng, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>> set up under cn=computers, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
>> initialization.
>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
>> such object) errno 0 (Success)
>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>> failed: LDAP error 32 (No such object) ()
>> ^C
>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
>> "cn=directory manager" -w ...
>> ldap_initialize( ldap://ldap1.example.com:389 )
>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config
>> changetype: modify
>> replace: nsds5beginreplicarefresh
>> nsds5beginreplicarefresh: start
>> replace nsds5beginreplicarefresh:
>> start
>> modifying entry "cn=ExampleAgreement,cn=replic
>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
>> modify complete
>>
>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
>> LDAPS requests
>> [31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket
>> for LDAPI requests
>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
>> set up under ou=sudoers,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>> set up under cn=ng, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>> set up under cn=computers, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
>> initialization.
>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
>> such object) errno 0 (Success)
>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>> failed: LDAP error 32 (No such object) ()
>> [31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not bind id
>> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
>> 32 (No such object) errno 0 (Success)
>> ^C
>> [root at ldap1 ~]#
>>
>>
>> 2016-08-31 18:15 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
>>
>>>
>>>
>>> On 08/31/2016 09:50 AM, Andrey Rogovsky wrote:
>>>
>>> Hi!
>>>
>>> I try configure manual replica from FreeIPA DS to 389 DS.
>>> I have two VM: ldap1.example.com and ldap2.example.com
>>> I was used this manual https://www.centos.org/
>>> docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Repl
>>> ication-cmd.html for configure relica
>>>
>>> There was replica agreement before starting:
>>>
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=config> with scope subtree
>>> # filter: (objectclass=nsds5ReplicationAgreement)
>>> # requesting: ALL
>>> #
>>>
>>> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree,
>>> config
>>> dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
>>> tree,
>>> cn=config
>>> objectClass: top
>>> objectClass: nsds5replicationagreement
>>> cn: ExampleAgreement
>>> nsDS5ReplicaHost: ldap2
>>> nsDS5ReplicaPort: 389
>>> nsDS5ReplicaBindDN: cn=replication manager
>>> nsDS5ReplicaBindMethod: SIMPLE
>>> nsDS5ReplicaRoot: dc=example,dc=com
>>> description: agreement between supplier1 and consumer1
>>> nsDS5ReplicaUpdateSchedule: 0000-0500 1
>>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
>>> authorityRevocationLis
>>> t
>>> nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQ
>>> m1NRVVHQ1NxR1NJYjNEUUVG
>>> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmk
>>> wek5qRmxNalkxWkFBQ
>>> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJC
>>> QUVJckpINmE0S3RFYl
>>> NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg==
>>> nsds5replicareapactive: 0
>>> nsds5replicaLastUpdateStart: 19700101000000Z
>>> nsds5replicaLastUpdateEnd: 19700101000000Z
>>> nsds5replicaChangesSentSinceStartup:
>>> nsds5replicaLastUpdateStatus: 0 No replication sessions started since
>>> server s
>>> tartup
>>> nsds5replicaUpdateInProgress: FALSE
>>> nsds5replicaLastInitStart: 19700101000000Z
>>> nsds5replicaLastInitEnd: 19700101000000Z
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries:
>>>
>>>
>>> There is errors which I get when start replica:
>>>
>>>
>>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
>>> "cn=directory manager" -w ...
>>> ldap_initialize( ldap://ldap1.example.com:389 )
>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>>> tree,cn=config
>>> changetype: modify
>>> replace: nsds5beginreplicarefresh
>>> nsds5beginreplicarefresh: start
>>> replace nsds5beginreplicarefresh:
>>> start
>>> modifying entry "cn=ExampleAgreement,cn=replic
>>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
>>> modify complete
>>>
>>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin
>>> tree scan will start in about 5 seconds!
>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>>> Interfaces port 389 for LDAP requests
>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
>>> LDAPS requests
>>> [31/Aug/2016:11:11:09 +0000] - Listening on
>>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
>>> set up under ou=sudoers,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>> set up under cn=ng, cn=compat,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>> set up under cn=computers, cn=compat,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
>>> initialization.
>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
>>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
>>> such object) errno 0 (Success)
>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>>> failed: LDAP error 32 (No such object) ()
>>> ^C
>>>
>>> I'm assuming this is just a standalone 389 Directory Server you are
>>> trying to replicate to(not a freeIPA installation). If it is a freeipa
>>> installation, then you should use the freeipa CLI for setting up
>>> replication.
>>>
>>> The error 32 (no such object) you are getting is because the replica
>>> does not have an entry "cn=replication manager". Looking at the
>>> replication agreement:
>>>
>>> nsDS5ReplicaBindDN: cn=replication manager
>>>
>>> This is not a valid DN as there is no base suffix: For example, I would
>>> expect to see something like "cn=replication manager,cn=config"
>>>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
>>> ory_Server/10/html/Administration_Guide/Creating_the_Supplie
>>> r_Bind_DN_Entry.html
>>>
>>> Regards,
>>> Mark
>>>
>>>
>>> Please help me fix this
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160901/3b656351/attachment.htm>
More information about the Freeipa-users
mailing list