[Freeipa-users] Command-line replication is not works in FreeIPA-Master
Andrey Rogovsky
a.rogovsky at gmail.com
Thu Sep 1 04:25:44 UTC 2016
Hi, Alexander!
Thank for fast reply.
I have replication manager object:
filter: (objectclass=organizationalPerson)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=organizationalPerson)
# requesting: ALL
#
# replication manager, config
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword::
e1NTSEF9d281RGZOTTlCSEVWTEhxY1lTcGs0WHdjRXplemU4S280S3EwWnc9PQ=
=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
But error is present.
2016-09-01 7:14 GMT+03:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On Thu, 01 Sep 2016, Andrey Rogovsky wrote:
>
>> Hi!
>> Thanks for your advices!
>> I'm try start replica and get this errors in log:
>> [01/Sep/2016:03:24:23 +0000] slapi_ldap_bind - Error: could not bind id
>> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]:
>> error
>> 32 (No such object) errno 0 (Success)
>> [01/Sep/2016:03:24:23 +0000] NSMMReplicationPlugin -
>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>> failed: LDAP error 32 (No such object) ()
>>
> You've been told already that you should have replication manager object
> created at both sides. Your 'cn=replicaton manager,cn=config' does not
> exist at the replica.
>
> You should read RHDS Administration Guide, at least the part about
> supplier bind DN entry, but preferrably the whole chapter it is part of:
> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
> ory_Server/10/html/Administration_Guide/Creating_the_
> Supplier_Bind_DN_Entry.html
>
>
>
>
>> This is my current replica:
>> filter: (objectclass=nsds5replica)
>> requesting: All userApplication attributes
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=config> with scope subtree
>> # filter: (objectclass=nsds5replica)
>> # requesting: ALL
>> #
>>
>> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>> objectClass: top
>> objectClass: nsds5replica
>> objectClass: extensibleObject
>> cn: replica
>> nsDS5ReplicaRoot: dc=example,dc=com
>> nsDS5ReplicaId: 7
>> nsDS5ReplicaType: 3
>> nsDS5Flags: 1
>> nsds5ReplicaPurgeDelay: 604800
>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>> nsState:: BwAAAAAAAADqnMdXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
>> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
>> nsds5ReplicaChangeCount: 118
>> nsds5replicareapactive: 0
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> This is my current agreement:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=config> with scope subtree
>> # filter: (objectclass=nsds5ReplicationAgreement)
>> # requesting: ALL
>> #
>>
>> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>> dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
>> tree,
>> cn=config
>> objectClass: top
>> objectClass: nsds5replicationagreement
>> cn: ExampleAgreement
>> nsDS5ReplicaHost: ldap2
>> nsDS5ReplicaPort: 389
>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>> nsDS5ReplicaBindMethod: SIMPLE
>> nsDS5ReplicaRoot: dc=example,dc=com
>> description: agreement between supplier1 and consumer1
>> nsDS5ReplicaUpdateSchedule: 0000-0500 1
>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
>> authorityRevocationLis
>> t
>> nsDS5ReplicaCredentials:
>> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
>> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkw
>> ek5qRmxNalkxWkFBQ
>> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ
>> U1Dc25vTkVzZVJ4b3
>> N2WVlEMXRpbQ==}a21h3uqnbcAZ1cX+NheCeg==
>> nsds5replicareapactive: 0
>> nsds5replicaLastUpdateStart: 19700101000000Z
>> nsds5replicaLastUpdateEnd: 19700101000000Z
>> nsds5replicaChangesSentSinceStartup:
>> nsds5replicaLastUpdateStatus: 0 No replication sessions started since
>> server s
>> tartup
>> nsds5replicaUpdateInProgress: FALSE
>> nsds5replicaLastInitStart: 20160901032423Z
>> nsds5replicaLastInitEnd: 19700101000000Z
>> nsds5replicaLastInitStatus: 32 - LDAP error: No such object
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> I'm try delete agreement, replica, user, changelog and create again. This
>> not help, same error:
>>
>> [01/Sep/2016:03:42:37 +0000] NSMMReplicationPlugin - agmt_delete: begin
>> [01/Sep/2016:03:45:35 +0000] NSMMReplicationPlugin -
>> replica_config_delete:
>> Warning: The changelog for replica dc=example,dc=com is no longer valid
>> since the replica config is being deleted. Removing the changelog.
>> [01/Sep/2016:03:53:18 +0000] slapi_ldap_bind - Error: could not bind id
>> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]:
>> error
>> 32 (No such object) errno 0 (Success)
>> [01/Sep/2016:03:53:18 +0000] NSMMReplicationPlugin -
>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>> failed: LDAP error 32 (No such object) ()
>>
>>
>>
>> 2016-08-31 20:09 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
>>
>>
>>>
>>> On 08/31/2016 12:39 PM, Andrey Rogovsky wrote:
>>>
>>> Hi, Mark!
>>>
>>> Thanks for explain. Now I create replication manager: (I hope)
>>> [root at ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D
>>> "cn=directory manager" -W -b cn=config "cn=replication manager"
>>> Enter LDAP Password:
>>> dn: cn=replication manager,cn=config
>>> objectClass: inetorgperson
>>> objectClass: person
>>> objectClass: top
>>> objectClass: organizationalPerson
>>> cn: replication manager
>>> sn: RM
>>> userPassword:: e1NTSEF9N1JiRmNXWTFXNDA1cmdYSU
>>> dCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
>>> =
>>>
>>> What is next? I use manual from 8 version and this a bit obsoleted.
>>>
>>> Now you should be able to initialize your standalone server by updating
>>> the agreement on the ipa DS:
>>>
>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>>> tree,cn=config
>>> changetype: modify
>>> replace: nsds5beginreplicarefresh
>>> nsds5beginreplicarefresh: start
>>>
>>> If something goes wrong let us know what's in the errors log again.
>>>
>>> Mark
>>>
>>>
>>>
>>> 2016-08-31 19:30 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
>>>
>>> Hi Andrey,
>>>>
>>>> It looks like you still did not create the replication manager entry.
>>>> You must create that manager entry on the standalone server. Please
>>>> read
>>>> the link I sent you:
>>>>
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
>>>> ory_Server/10/html/Administration_Guide/Creating_the_Supplie
>>>> r_Bind_DN_Entry.html
>>>>
>>>> You can verify its existence by doing this search against the standalone
>>>> server:
>>>>
>>>> ldapsearch -h ldap1.example.com -p 389 -xLLL -D "cn=directory manager"
>>>> -W -b cn=config "cn=replication manager"
>>>>
>>>> Mark
>>>>
>>>>
>>>> On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
>>>>
>>>> Hi!
>>>> Thank you for fast reply.
>>>> Yes, I want use standalone 389DS to replica from FreeIPA.
>>>> There is my replica:
>>>> filter: (objectclass=nsds5replica)
>>>> requesting: All userApplication attributes
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <cn=config> with scope subtree
>>>> # filter: (objectclass=nsds5replica)
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>>>> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>>>> objectClass: top
>>>> objectClass: nsds5replica
>>>> objectClass: extensibleObject
>>>> cn: replica
>>>> nsDS5ReplicaRoot: dc=example,dc=com
>>>> nsDS5ReplicaId: 7
>>>> nsDS5ReplicaType: 3
>>>> nsDS5Flags: 1
>>>> nsds5ReplicaPurgeDelay: 604800
>>>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>>>> nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
>>>> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
>>>> nsds5ReplicaChangeCount: 22
>>>> nsds5replicareapactive: 0
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>>
>>>> So, my replica have entry "cn=replication manager"
>>>>
>>>> But I try add entry in agreement. Unforthunalty this is not help, error
>>>> is present:
>>>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
>>>> "cn=directory manager" -w ...
>>>> ldap_initialize( ldap://ldap1.example.com:389 )
>>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>>>> tree,cn=config
>>>> changetype: modify
>>>> replace: nsds5ReplicaBindDN
>>>> nsds5ReplicaBindDN: cn=replication manager,cn=config
>>>> replace nsds5ReplicaBindDN:
>>>> cn=replication manager,cn=config
>>>> modifying entry "cn=ExampleAgreement,cn=replic
>>>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
>>>> modify complete
>>>>
>>>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>>>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin
>>>> tree scan will start in about 5 seconds!
>>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>>>> Interfaces port 389 for LDAP requests
>>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
>>>> LDAPS requests
>>>> [31/Aug/2016:11:11:09 +0000] - Listening on
>>>> /var/run/slapd-EXAMPLE-COM.socket
>>>> for LDAPI requests
>>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
>>>> set up under ou=sudoers,dc=example,dc=com
>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>>> set up under cn=ng, cn=compat,dc=example,dc=com
>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>>> set up under cn=computers, cn=compat,dc=example,dc=com
>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
>>>> initialization.
>>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
>>>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
>>>> such object) errno 0 (Success)
>>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE
>>>> auth
>>>> failed: LDAP error 32 (No such object) ()
>>>> ^C
>>>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
>>>> "cn=directory manager" -w ...
>>>> ldap_initialize( ldap://ldap1.example.com:389 )
>>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>>>> tree,cn=config
>>>> changetype: modify
>>>> replace: nsds5beginreplicarefresh
>>>> nsds5beginreplicarefresh: start
>>>> replace nsds5beginreplicarefresh:
>>>> start
>>>> modifying entry "cn=ExampleAgreement,cn=replic
>>>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
>>>> modify complete
>>>>
>>>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>>>> Interfaces port 389 for LDAP requests
>>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
>>>> LDAPS requests
>>>> [31/Aug/2016:11:11:09 +0000] - Listening on
>>>> /var/run/slapd-EXAMPLE-COM.socket
>>>> for LDAPI requests
>>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
>>>> set up under ou=sudoers,dc=example,dc=com
>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>>> set up under cn=ng, cn=compat,dc=example,dc=com
>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>>> set up under cn=computers, cn=compat,dc=example,dc=com
>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
>>>> initialization.
>>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
>>>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
>>>> such object) errno 0 (Success)
>>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE
>>>> auth
>>>> failed: LDAP error 32 (No such object) ()
>>>> [31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not bind id
>>>> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]:
>>>> error
>>>> 32 (No such object) errno 0 (Success)
>>>> ^C
>>>> [root at ldap1 ~]#
>>>>
>>>>
>>>> 2016-08-31 18:15 GMT+03:00 Mark Reynolds <mareynol at redhat.com>:
>>>>
>>>>
>>>>>
>>>>> On 08/31/2016 09:50 AM, Andrey Rogovsky wrote:
>>>>>
>>>>> Hi!
>>>>>
>>>>> I try configure manual replica from FreeIPA DS to 389 DS.
>>>>> I have two VM: ldap1.example.com and ldap2.example.com
>>>>> I was used this manual https://www.centos.org/
>>>>> docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Repl
>>>>> ication-cmd.html for configure relica
>>>>>
>>>>> There was replica agreement before starting:
>>>>>
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base <cn=config> with scope subtree
>>>>> # filter: (objectclass=nsds5ReplicationAgreement)
>>>>> # requesting: ALL
>>>>> #
>>>>>
>>>>> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree,
>>>>> config
>>>>> dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,
>>>>> cn=mapping
>>>>> tree,
>>>>> cn=config
>>>>> objectClass: top
>>>>> objectClass: nsds5replicationagreement
>>>>> cn: ExampleAgreement
>>>>> nsDS5ReplicaHost: ldap2
>>>>> nsDS5ReplicaPort: 389
>>>>> nsDS5ReplicaBindDN: cn=replication manager
>>>>> nsDS5ReplicaBindMethod: SIMPLE
>>>>> nsDS5ReplicaRoot: dc=example,dc=com
>>>>> description: agreement between supplier1 and consumer1
>>>>> nsDS5ReplicaUpdateSchedule: 0000-0500 1
>>>>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
>>>>> authorityRevocationLis
>>>>> t
>>>>> nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQ
>>>>> m1NRVVHQ1NxR1NJYjNEUUVG
>>>>> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmk
>>>>> wek5qRmxNalkxWkFBQ
>>>>> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJC
>>>>> QUVJckpINmE0S3RFYl
>>>>> NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg==
>>>>> nsds5replicareapactive: 0
>>>>> nsds5replicaLastUpdateStart: 19700101000000Z
>>>>> nsds5replicaLastUpdateEnd: 19700101000000Z
>>>>> nsds5replicaChangesSentSinceStartup:
>>>>> nsds5replicaLastUpdateStatus: 0 No replication sessions started since
>>>>> server s
>>>>> tartup
>>>>> nsds5replicaUpdateInProgress: FALSE
>>>>> nsds5replicaLastInitStart: 19700101000000Z
>>>>> nsds5replicaLastInitEnd: 19700101000000Z
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 0 Success
>>>>>
>>>>> # numResponses: 2
>>>>> # numEntries:
>>>>>
>>>>>
>>>>> There is errors which I get when start replica:
>>>>>
>>>>>
>>>>> [root at ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D
>>>>> "cn=directory manager" -w ...
>>>>> ldap_initialize( ldap://ldap1.example.com:389 )
>>>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>>>>> tree,cn=config
>>>>> changetype: modify
>>>>> replace: nsds5beginreplicarefresh
>>>>> nsds5beginreplicarefresh: start
>>>>> replace nsds5beginreplicarefresh:
>>>>> start
>>>>> modifying entry "cn=ExampleAgreement,cn=replic
>>>>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
>>>>> modify complete
>>>>>
>>>>> [root at ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>>>>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin -
>>>>> schema-compat-plugin
>>>>> tree scan will start in about 5 seconds!
>>>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All
>>>>> Interfaces port 389 for LDAP requests
>>>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
>>>>> LDAPS requests
>>>>> [31/Aug/2016:11:11:09 +0000] - Listening on
>>>>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>>>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
>>>>> set up under ou=sudoers,dc=example,dc=com
>>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>>>> set up under cn=ng, cn=compat,dc=example,dc=com
>>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
>>>>> set up under cn=computers, cn=compat,dc=example,dc=com
>>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
>>>>> initialization.
>>>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
>>>>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32
>>>>> (No
>>>>> such object) errno 0 (Success)
>>>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
>>>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE
>>>>> auth
>>>>> failed: LDAP error 32 (No such object) ()
>>>>> ^C
>>>>>
>>>>> I'm assuming this is just a standalone 389 Directory Server you are
>>>>> trying to replicate to(not a freeIPA installation). If it is a freeipa
>>>>> installation, then you should use the freeipa CLI for setting up
>>>>> replication.
>>>>>
>>>>> The error 32 (no such object) you are getting is because the replica
>>>>> does not have an entry "cn=replication manager". Looking at the
>>>>> replication agreement:
>>>>>
>>>>> nsDS5ReplicaBindDN: cn=replication manager
>>>>>
>>>>> This is not a valid DN as there is no base suffix: For example, I
>>>>> would
>>>>> expect to see something like "cn=replication manager,cn=config"
>>>>>
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
>>>>> ory_Server/10/html/Administration_Guide/Creating_the_Supplie
>>>>> r_Bind_DN_Entry.html
>>>>>
>>>>> Regards,
>>>>> Mark
>>>>>
>>>>>
>>>>> Please help me fix this
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160901/f9814b81/attachment.htm>
More information about the Freeipa-users
mailing list