[Freeipa-users] Command-line replication is not works in FreeIPA-Master

Andrey Rogovsky a.rogovsky at gmail.com
Thu Sep 1 07:13:49 UTC 2016 

Hi, Alexander!

Than you very much for help. Now I able to start replica, but have one
issue - schemes is not replicated:

[01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin - Warning: unable to
replicate schema to host ldap2, port 389. Continuing with total update
session.
[01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin - Beginning total update
of replica "agmt="cn=ExampleAgreement" (ldap2:389)".
[01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin - Need to create
replication keep alive entry <cn=repl keep alive 7,dc=example,dc=com>
[01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin - add dn: cn=repl keep
alive 7,dc=example,dc=com
objectclass: top
objectclass: ldapsubentry
objectclass: extensibleObject
cn: repl keep alive 7
[01/Sep/2016:07:04:58 +0000] NSMMReplicationPlugin - Finished total update
of replica "agmt="cn=ExampleAgreement" (ldap2:389)". Sent 415 entries.

Can you help me with schemes?


2016-09-01 10:01 GMT+03:00 Alexander Bokovoy <abokovoy at redhat.com>:

> On Thu, 01 Sep 2016, Andrey Rogovsky wrote:
>
>> Hi, Alexander!
>>
>> I have ldap1 - FreeIPA (master) and ldap2 - 389DS (slave)
>> I want one-way replica from ldap1 to ldap2
>> On ldap1 I was define dn replication user, replica and agreement
>> On ldap2 I was define replica only:
>>
> This is what you are doing wrong. Your ldap1 server will attempt to
> connect to ldap2 server using the replication user credentials. It is
> ldap2 which will be authenticating this request. Where would it take
> information about the replication user?
>
>
> filter: (objectclass=nsds5replica)
>> requesting: All userApplication attributes
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=config> with scope subtree
>> # filter: (objectclass=nsds5replica)
>> # requesting: ALL
>> #
>>
>> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>> objectClass: top
>> objectClass: nsds5replica
>> objectClass: extensibleObject
>> cn: replica
>> nsDS5ReplicaRoot: dc=example,dc=com
>> nsDS5ReplicaType: 2
>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>> nsDS5Flags: 0
>> nsDS5ReplicaId: 65535
>> nsState:: //8AAAAAAABY2sZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
>> nsDS5ReplicaName: 06154b02-6f7e11e6-b236be05-3db8a3e8
>> nsds5ReplicaChangeCount: 0
>> nsds5replicareapactive: 0
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> Does I need define DN replication user on ldap2?
>>
>>
>> 2016-09-01 8:57 GMT+03:00 Alexander Bokovoy <abokovoy at redhat.com>:
>>
>> On Thu, 01 Sep 2016, Andrey Rogovsky wrote:
>>>
>>> Hi, Alexander!
>>>>
>>>> Thank for fast reply.
>>>> I have replication manager object:
>>>> filter: (objectclass=organizationalPerson)
>>>> requesting: All userApplication attributes
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <cn=config> with scope subtree
>>>> # filter: (objectclass=organizationalPerson)
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # replication manager, config
>>>> dn: cn=replication manager,cn=config
>>>> objectClass: inetorgperson
>>>> objectClass: person
>>>> objectClass: top
>>>> objectClass: organizationalPerson
>>>> cn: replication manager
>>>> sn: RM
>>>> userPassword::
>>>> e1NTSEF9d281RGZOTTlCSEVWTEhxY1lTcGs0WHdjRXplemU4S280S3EwWnc9PQ=
>>>> =
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>>
>>>> But error is present.
>>>>
>>>> You have two LDAP servers. If you have replication going in both
>>> directions, you need to have the replication bind entry defined on both
>>> servers.
>>>
>>> If you have replication going in one direction, then the target server
>>> should have this replication bind entry defined.
>>>
>>> Where do you have this entry?
>>>
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160901/d0a65c8a/attachment.htm>

More information about the Freeipa-users mailing list