[Freeipa-users] Command-line replication is not works in FreeIPA-Master
Alexander Bokovoy
abokovoy at redhat.com
Thu Sep 1 04:14:56 UTC 2016
On Thu, 01 Sep 2016, Andrey Rogovsky wrote:
>Hi!
>Thanks for your advices!
>I'm try start replica and get this errors in log:
>[01/Sep/2016:03:24:23 +0000] slapi_ldap_bind - Error: could not bind id
>[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
>32 (No such object) errno 0 (Success)
>[01/Sep/2016:03:24:23 +0000] NSMMReplicationPlugin -
>agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>failed: LDAP error 32 (No such object) ()
You've been told already that you should have replication manager object
created at both sides. Your 'cn=replicaton manager,cn=config' does not
exist at the replica.
You should read RHDS Administration Guide, at least the part about
supplier bind DN entry, but preferrably the whole chapter it is part of:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html
>
>This is my current replica:
>filter: (objectclass=nsds5replica)
>requesting: All userApplication attributes
># extended LDIF
>#
># LDAPv3
># base <cn=config> with scope subtree
># filter: (objectclass=nsds5replica)
># requesting: ALL
>#
>
># replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>objectClass: top
>objectClass: nsds5replica
>objectClass: extensibleObject
>cn: replica
>nsDS5ReplicaRoot: dc=example,dc=com
>nsDS5ReplicaId: 7
>nsDS5ReplicaType: 3
>nsDS5Flags: 1
>nsds5ReplicaPurgeDelay: 604800
>nsDS5ReplicaBindDN: cn=replication manager,cn=config
>nsState:: BwAAAAAAAADqnMdXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
>nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
>nsds5ReplicaChangeCount: 118
>nsds5replicareapactive: 0
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>
>This is my current agreement:
>
># extended LDIF
>#
># LDAPv3
># base <cn=config> with scope subtree
># filter: (objectclass=nsds5ReplicationAgreement)
># requesting: ALL
>#
>
># ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
>tree,
> cn=config
>objectClass: top
>objectClass: nsds5replicationagreement
>cn: ExampleAgreement
>nsDS5ReplicaHost: ldap2
>nsDS5ReplicaPort: 389
>nsDS5ReplicaBindDN: cn=replication manager,cn=config
>nsDS5ReplicaBindMethod: SIMPLE
>nsDS5ReplicaRoot: dc=example,dc=com
>description: agreement between supplier1 and consumer1
>nsDS5ReplicaUpdateSchedule: 0000-0500 1
>nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
>authorityRevocationLis
> t
>nsDS5ReplicaCredentials:
>{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQU1Dc25vTkVzZVJ4b3
> N2WVlEMXRpbQ==}a21h3uqnbcAZ1cX+NheCeg==
>nsds5replicareapactive: 0
>nsds5replicaLastUpdateStart: 19700101000000Z
>nsds5replicaLastUpdateEnd: 19700101000000Z
>nsds5replicaChangesSentSinceStartup:
>nsds5replicaLastUpdateStatus: 0 No replication sessions started since
>server s
> tartup
>nsds5replicaUpdateInProgress: FALSE
>nsds5replicaLastInitStart: 20160901032423Z
>nsds5replicaLastInitEnd: 19700101000000Z
>nsds5replicaLastInitStatus: 32 - LDAP error: No such object
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>
>I'm try delete agreement, replica, user, changelog and create again. This
>not help, same error:
>
>[01/Sep/2016:03:42:37 +0000] NSMMReplicationPlugin - agmt_delete: begin
>[01/Sep/2016:03:45:35 +0000] NSMMReplicationPlugin - replica_config_delete:
>Warning: The changelog for replica dc=example,dc=com is no longer valid
>since the replica config is being deleted. Removing the changelog.
>[01/Sep/2016:03:53:18 +0000] slapi_ldap_bind - Error: could not bind id
>[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
>32 (No such object) errno 0 (Success)
>[01/Sep/2016:03:53:18 +0000] NSMMReplicationPlugin -
>agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>failed: LDAP error 32 (No such object) ()
>
>
>
>2016-08-31 20:09 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
>
>>
>>
>> On 08/31/2016 12:39 PM, Andrey Rogovsky wrote:
>>
>> Hi, Mark!
>>
>> Thanks for explain. Now I create replication manager: (I hope)
>> [root at ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D
>> "cn=directory manager" -W -b cn=config "cn=replication manager"
>> Enter LDAP Password:
>> dn: cn=replication manager,cn=config
>> objectClass: inetorgperson
>> objectClass: person
>> objectClass: top
>> objectClass: organizationalPerson
>> cn: replication manager
>> sn: RM
>> userPassword:: e1NTSEF9N1JiRmNXWTFXNDA1cmdYSU
>> dCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
>> =
>>
>> What is next? I use manual from 8 version and this a bit obsoleted.
>>
>> Now you should be able to initialize your standalone server by updating
>> the agreement on the ipa DS:
>>
>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config
>> changetype: modify
>> replace: nsds5beginreplicarefresh
>> nsds5beginreplicarefresh: start
>>
>> If something goes wrong let us know what's in the errors log again.
>>
>> Mark
>>
>>
>>
>> 2016-08-31 19:30 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
>>
>>> Hi Andrey,
>>>
>>> It looks like you still did not create the replication manager entry.
>>> You must create that manager entry on the standalone server. Please read
>>> the link I sent you:
>>>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
>>> ory_Server/10/html/Administration_Guide/Creating_the_Supplie
>>> r_Bind_DN_Entry.html
>>>
>>> You can verify its existence by doing this search against the standalone
>>> server:
>>>
>>> ldapsearch -h ldap1.example.com -p 389 -xLLL -D "cn=directory manager"
>>> -W -b cn=config "cn=replication manager"
>>>
>>> Mark
>>>
>>>
>>> On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
>>>
>>> Hi!
>>> Thank you for fast reply.
>>> Yes, I want use standalone 389DS to replica from FreeIPA.
>>> There is my replica:
>>> filter: (objectclass=nsds5replica)
>>> requesting: All userApplication attributes
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=config> with scope subtree
>>> # filter: (objectclass=nsds5replica)
>>> # requesting: ALL
>>> #
>>>
>>> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>>> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>>> objectClass: top
>>> objectClass: nsds5replica
>>> objectClass: extensibleObject
>>> cn: replica
>>> nsDS5ReplicaRoot: dc=example,dc=com
>>> nsDS5ReplicaId: 7
>>> nsDS5ReplicaType: 3
>>> nsDS5Flags: 1
>>> nsds5ReplicaPurgeDelay: 604800
>>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>>> nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
>>> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
>>> nsds5ReplicaChangeCount: 22
>>> nsds5replicareapactive: 0
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>> So, my replica have entry "cn=replication manager"
>>>
>>> But I try add entry in agreement. Unforthunalty this is not help, error
>>> is present:
>>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
>>> "cn=directory manager" -w ...
>>> ldap_initialize( ldap://ldap1.example.com:389 )
>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>>> tree,cn=config
>>> changetype: modify
>>> replace: nsds5ReplicaBindDN
>>> nsds5ReplicaBindDN: cn=replication manager,cn=config
>>> replace nsds5ReplicaBindDN:
>>> cn=replication manager,cn=config
>>> modifying entry "cn=ExampleAgreement,cn=replic
>>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
>>> modify complete
>>>
>>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin
>>> tree scan will start in about 5 seconds!
>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>>> Interfaces port 389 for LDAP requests
>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
>>> LDAPS requests
>>> [31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket
>>> for LDAPI requests
>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
>>> set up under ou=sudoers,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>> set up under cn=ng, cn=compat,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>> set up under cn=computers, cn=compat,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
>>> initialization.
>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
>>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
>>> such object) errno 0 (Success)
>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>>> failed: LDAP error 32 (No such object) ()
>>> ^C
>>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
>>> "cn=directory manager" -w ...
>>> ldap_initialize( ldap://ldap1.example.com:389 )
>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>>> tree,cn=config
>>> changetype: modify
>>> replace: nsds5beginreplicarefresh
>>> nsds5beginreplicarefresh: start
>>> replace nsds5beginreplicarefresh:
>>> start
>>> modifying entry "cn=ExampleAgreement,cn=replic
>>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
>>> modify complete
>>>
>>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>>> Interfaces port 389 for LDAP requests
>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
>>> LDAPS requests
>>> [31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket
>>> for LDAPI requests
>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
>>> set up under ou=sudoers,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>> set up under cn=ng, cn=compat,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>> set up under cn=computers, cn=compat,dc=example,dc=com
>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
>>> initialization.
>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
>>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
>>> such object) errno 0 (Success)
>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>>> failed: LDAP error 32 (No such object) ()
>>> [31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not bind id
>>> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
>>> 32 (No such object) errno 0 (Success)
>>> ^C
>>> [root at ldap1 ~]#
>>>
>>>
>>> 2016-08-31 18:15 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
>>>
>>>>
>>>>
>>>> On 08/31/2016 09:50 AM, Andrey Rogovsky wrote:
>>>>
>>>> Hi!
>>>>
>>>> I try configure manual replica from FreeIPA DS to 389 DS.
>>>> I have two VM: ldap1.example.com and ldap2.example.com
>>>> I was used this manual https://www.centos.org/
>>>> docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Repl
>>>> ication-cmd.html for configure relica
>>>>
>>>> There was replica agreement before starting:
>>>>
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <cn=config> with scope subtree
>>>> # filter: (objectclass=nsds5ReplicationAgreement)
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree,
>>>> config
>>>> dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
>>>> tree,
>>>> cn=config
>>>> objectClass: top
>>>> objectClass: nsds5replicationagreement
>>>> cn: ExampleAgreement
>>>> nsDS5ReplicaHost: ldap2
>>>> nsDS5ReplicaPort: 389
>>>> nsDS5ReplicaBindDN: cn=replication manager
>>>> nsDS5ReplicaBindMethod: SIMPLE
>>>> nsDS5ReplicaRoot: dc=example,dc=com
>>>> description: agreement between supplier1 and consumer1
>>>> nsDS5ReplicaUpdateSchedule: 0000-0500 1
>>>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
>>>> authorityRevocationLis
>>>> t
>>>> nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQ
>>>> m1NRVVHQ1NxR1NJYjNEUUVG
>>>> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmk
>>>> wek5qRmxNalkxWkFBQ
>>>> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJC
>>>> QUVJckpINmE0S3RFYl
>>>> NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg==
>>>> nsds5replicareapactive: 0
>>>> nsds5replicaLastUpdateStart: 19700101000000Z
>>>> nsds5replicaLastUpdateEnd: 19700101000000Z
>>>> nsds5replicaChangesSentSinceStartup:
>>>> nsds5replicaLastUpdateStatus: 0 No replication sessions started since
>>>> server s
>>>> tartup
>>>> nsds5replicaUpdateInProgress: FALSE
>>>> nsds5replicaLastInitStart: 19700101000000Z
>>>> nsds5replicaLastInitEnd: 19700101000000Z
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries:
>>>>
>>>>
>>>> There is errors which I get when start replica:
>>>>
>>>>
>>>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
>>>> "cn=directory manager" -w ...
>>>> ldap_initialize( ldap://ldap1.example.com:389 )
>>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>>>> tree,cn=config
>>>> changetype: modify
>>>> replace: nsds5beginreplicarefresh
>>>> nsds5beginreplicarefresh: start
>>>> replace nsds5beginreplicarefresh:
>>>> start
>>>> modifying entry "cn=ExampleAgreement,cn=replic
>>>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
>>>> modify complete
>>>>
>>>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>>>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin
>>>> tree scan will start in about 5 seconds!
>>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>>>> Interfaces port 389 for LDAP requests
>>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
>>>> LDAPS requests
>>>> [31/Aug/2016:11:11:09 +0000] - Listening on
>>>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
>>>> set up under ou=sudoers,dc=example,dc=com
>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>>> set up under cn=ng, cn=compat,dc=example,dc=com
>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>>> set up under cn=computers, cn=compat,dc=example,dc=com
>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
>>>> initialization.
>>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
>>>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
>>>> such object) errno 0 (Success)
>>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>>>> failed: LDAP error 32 (No such object) ()
>>>> ^C
>>>>
>>>> I'm assuming this is just a standalone 389 Directory Server you are
>>>> trying to replicate to(not a freeIPA installation). If it is a freeipa
>>>> installation, then you should use the freeipa CLI for setting up
>>>> replication.
>>>>
>>>> The error 32 (no such object) you are getting is because the replica
>>>> does not have an entry "cn=replication manager". Looking at the
>>>> replication agreement:
>>>>
>>>> nsDS5ReplicaBindDN: cn=replication manager
>>>>
>>>> This is not a valid DN as there is no base suffix: For example, I would
>>>> expect to see something like "cn=replication manager,cn=config"
>>>>
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
>>>> ory_Server/10/html/Administration_Guide/Creating_the_Supplie
>>>> r_Bind_DN_Entry.html
>>>>
>>>> Regards,
>>>> Mark
>>>>
>>>>
>>>> Please help me fix this
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list