<html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body ocsi="0" fpstyle="1" bgcolor="#FFFFFF"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">For the second Command I do not have an account called directory manager, so I do not have a password<br> <br> ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsdswindowsreplicationagreement' dn<br> Enter LDAP Password: <br> ldap_bind: Invalid credentials (49)<br> <br> <br> <div style="font-family: Times New Roman; color: #000000; font-size: 16px"> <hr tabindex="-1"> <div style="direction: ltr;" id="divRpF734250"><font size="2" face="Tahoma" color="#000000"><b>From:</b> freeipa-users-bounces@redhat.com [freeipa-users-bounces@redhat.com] on behalf of Todd Maugh [tmaugh@boingo.com]<br> <b>Sent:</b> Friday, January 31, 2014 12:55 PM<br> <b>To:</b> Rich Megginson; dpal@redhat.com<br> <b>Cc:</b> freeipa-users@redhat.com<br> <b>Subject:</b> Re: [Freeipa-users] cant create winsync reolication<br> </font><br> </div> <div></div> <div> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"><br> <br> [root@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W<br> Enter LDAP Password: <br> dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local<br> objectClass: top<br> objectClass: person<br> objectClass: organizationalPerson<br> objectClass: user<br> cn: IDM ADMIN<br> givenName: IDMADMIN<br> distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local<br> instanceType: 4<br> whenCreated: 20140128182537.0Z<br> whenChanged: 20140131014315.0Z<br> displayName: IDMADMIN<br> uSNCreated: 31968<br> memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local<br> memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local<br> memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local<br> uSNChanged: 38786<br> name: IDM ADMIN<br> objectGUID:: jai63JfDvUuOGcURntA7hg==<br> userAccountControl: 66048<br> badPwdCount: 0<br> codePage: 0<br> countryCode: 0<br> badPasswordTime: 0<br> lastLogoff: 0<br> lastLogon: 0<br> pwdLastSet: 130356008006093750<br> primaryGroupID: 513<br> objectSid:: AQUAAAAAAAUVAAAA0+/GU55mz3h0hQ48RwYAAA==<br> adminCount: 1<br> accountExpires: 9223372036854775807<br> logonCount: 0<br> sAMAccountName: idmadmin<br> sAMAccountType: 805306368<br> userPrincipalName: idmadmin@boingoqa.local<br> lockoutTime: 0<br> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local<br> dSCorePropagationData: 20140129224024.0Z<br> dSCorePropagationData: 16010101000000.0Z<br> lastLogonTimestamp: 130356060672110578<br> <br> <br> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <hr tabindex="-1"> <div id="divRpF624858" style="direction:ltr"><font size="2" face="Tahoma" color="#000000"><b>From:</b> Rich Megginson [rmeggins@redhat.com]<br> <b>Sent:</b> Friday, January 31, 2014 12:39 PM<br> <b>To:</b> Todd Maugh; dpal@redhat.com<br> <b>Cc:</b> freeipa-users@redhat.com<br> <b>Subject:</b> Re: [Freeipa-users] cant create winsync reolication<br> </font><br> </div> <div></div> <div> <div class="moz-cite-prefix">On 01/31/2014 12:16 PM, Todd Maugh wrote:<br> </div> <blockquote type="cite"><style id="owaParaStyle" type="text/css">  BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">RE:<br> <br> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <div>I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication.<br> <br> here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement<br> </div> </div> </div> </blockquote> <br> Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this:<br> <br> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H <a class="moz-txt-link-freetext" href="UrlBlockedError.aspx" target="_blank"> ldap://qatestdc2.boingoqa.local</a> -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W <br> <br> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <div><br> <br> <br> [31/Jan/2014:19:07:37 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:08:12 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:08:13 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:08:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:10:01 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:11:51 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:11:54 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:12:00 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:12:12 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:12:36 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:13:12 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:13:13 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:13:24 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:13:57 +0000] NSMMReplicationPlugin - agmt_delete: begin<br> [31/Jan/2014:19:14:09 +0000] - slapd shutting down - signaling operation threads<br> [31/Jan/2014:19:14:09 +0000] - slapd shutting down - waiting for 30 threads to terminate<br> [31/Jan/2014:19:14:09 +0000] - slapd shutting down - closing down internal subsystems and plugins<br> [31/Jan/2014:19:14:09 +0000] - Waiting for 4 database threads to stop<br> [31/Jan/2014:19:14:09 +0000] - All database threads now stopped<br> [31/Jan/2014:19:14:09 +0000] - slapd stopped.<br> [31/Jan/2014:19:14:12 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 starting up<br> [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com<br> [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=boingo,dc=com<br> [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=boingo,dc=com<br> [31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition.<br> [31/Jan/2014:19:14:12 +0000] set_krb5_creds - Could not get initial credentials for principal [<a class="moz-txt-link-abbreviated" href="mailto:ldap/se-idm-01.boingo.com@BOINGO.COM" target="_blank">ldap/se-idm-01.boingo.com@BOINGO.COM</a>] in keytab [<a class="moz-txt-link-freetext" href="UrlBlockedError.aspx" target="_blank">FILE:/etc/dirsrv/ds.keytab</a>]: -1765328324 (Generic error (see e-text))<br> [31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition.<br> [31/Jan/2014:19:14:12 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success)<br> [31/Jan/2014:19:14:12 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)<br> [31/Jan/2014:19:14:12 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found))<br> [31/Jan/2014:19:14:12 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests<br> [31/Jan/2014:19:14:12 +0000] - Listening on All Interfaces port 636 for LDAPS requests<br> [31/Jan/2014:19:14:12 +0000] - Listening on /var/run/slapd-BOINGO-COM.socket for LDAPI requests<br> [31/Jan/2014:19:14:16 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth resumed<br> [31/Jan/2014:19:15:18 +0000] - slapd shutting down - signaling operation threads<br> [31/Jan/2014:19:15:18 +0000] - slapd shutting down - waiting for 30 threads to terminate<br> [31/Jan/2014:19:15:18 +0000] - slapd shutting down - closing down internal subsystems and plugins<br> [31/Jan/2014:19:15:18 +0000] - Waiting for 4 database threads to stop<br> [31/Jan/2014:19:15:18 +0000] - All database threads now stopped<br> [31/Jan/2014:19:15:18 +0000] - slapd stopped.<br> [31/Jan/2014:19:15:23 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 starting up<br> [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com<br> [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=boingo,dc=com<br> [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=boingo,dc=com<br> [31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition.<br> [31/Jan/2014:19:15:23 +0000] set_krb5_creds - Could not get initial credentials for principal [<a class="moz-txt-link-abbreviated" href="mailto:ldap/se-idm-01.boingo.com@BOINGO.COM" target="_blank">ldap/se-idm-01.boingo.com@BOINGO.COM</a>] in keytab [<a class="moz-txt-link-freetext" href="UrlBlockedError.aspx" target="_blank">FILE:/etc/dirsrv/ds.keytab</a>]: -1765328324 (Generic error (see e-text))<br> [31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition.<br> [31/Jan/2014:19:15:23 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success)<br> [31/Jan/2014:19:15:23 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)<br> [31/Jan/2014:19:15:23 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found))<br> [31/Jan/2014:19:15:23 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests<br> [31/Jan/2014:19:15:23 +0000] - Listening on All Interfaces port 636 for LDAPS requests<br> [31/Jan/2014:19:15:23 +0000] - Listening on /var/run/slapd-BOINGO-COM.socket for LDAPI requests<br> [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:15:25 +0000] NSMMReplicationPlugin - agmt="cn=meToqatestdc2.boingoqa.local" (qatestdc2:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's Certificate issuer is not recognized.)<br> [31/Jan/2014:19:15:25 +0000] - Entry "cn=meToqatestdc2.boingoqa.local,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mapping tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not allowed<br> [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:15:26 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth resumed<br> [31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:15:28 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> [31/Jan/2014:19:15:30 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)<br> <br> </div> </div> </div> <br> <fieldset class="mimeAttachmentHeader" target="_blank"></fieldset> <br> <pre>_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> </div> </div> </div> </div> </div> </div> </body> </html>