<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/31/2014 12:16 PM, Todd Maugh
wrote:<br>
</div>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226A3C6@EXCHMB1-ELS.BWINC.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">RE:<br>
<br>
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<div>I am not sure I was clear. It seems that you provided the
LDAP trace for the ldapsearch commands you executed above. I
was talking about the DS level logs for the replica
management agreement establishment and the follow up
replication.<br>
<br>
here is the log tailed while I deleted teh replication
agreement, restarted the dirsrv and tried to setup the
replication agreement<br>
</div>
</div>
</div>
</blockquote>
<br>
Note that 389 does not use /etc/openldap/cacerts - it uses
/etc/dirsrv/slapd-YOUR-DOMAIN, so try this:<br>
<br>
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ
-H <a class="moz-txt-link-freetext" href="ldap://qatestdc2.boingoqa.local">ldap://qatestdc2.boingoqa.local</a> -b "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -W <br>
<br>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226A3C6@EXCHMB1-ELS.BWINC.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<div>
<br>
<br>
<br>
[31/Jan/2014:19:07:37 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:08:12 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:08:13 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:08:25 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:10:01 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:11:51 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:11:54 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:12:00 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:12:12 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:12:36 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:13:12 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:13:13 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:13:24 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:13:57 +0000] NSMMReplicationPlugin -
agmt_delete: begin<br>
[31/Jan/2014:19:14:09 +0000] - slapd shutting down -
signaling operation threads<br>
[31/Jan/2014:19:14:09 +0000] - slapd shutting down - waiting
for 30 threads to terminate<br>
[31/Jan/2014:19:14:09 +0000] - slapd shutting down - closing
down internal subsystems and plugins<br>
[31/Jan/2014:19:14:09 +0000] - Waiting for 4 database
threads to stop<br>
[31/Jan/2014:19:14:09 +0000] - All database threads now
stopped<br>
[31/Jan/2014:19:14:09 +0000] - slapd stopped.<br>
[31/Jan/2014:19:14:12 +0000] - 389-Directory/1.2.11.15
B2013.337.1530 starting up<br>
[31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning:
no entries set up under cn=computers,
cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning:
no entries set up under cn=ng, cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning:
no entries set up under ou=sudoers,dc=boingo,dc=com<br>
[31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition
cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS
Templates found, which should be added before the CoS
Definition.<br>
[31/Jan/2014:19:14:12 +0000] set_krb5_creds - Could not get
initial credentials for principal
[<a class="moz-txt-link-abbreviated" href="mailto:ldap/se-idm-01.boingo.com@BOINGO.COM">ldap/se-idm-01.boingo.com@BOINGO.COM</a>] in keytab
[<a class="moz-txt-link-freetext" href="FILE:/etc/dirsrv/ds.keytab">FILE:/etc/dirsrv/ds.keytab</a>]: -1765328324 (Generic error
(see e-text))<br>
[31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition
cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS
Templates found, which should be added before the CoS
Definition.<br>
[31/Jan/2014:19:14:12 +0000]
slapd_ldap_sasl_interactive_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_495' not
found)) errno 0 (Success)<br>
[31/Jan/2014:19:14:12 +0000] slapi_ldap_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: error
-2 (Local error)<br>
[31/Jan/2014:19:14:12 +0000] NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389):
Replication bind with GSSAPI auth failed: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_495' not
found))<br>
[31/Jan/2014:19:14:12 +0000] - slapd started. Listening on
All Interfaces port 389 for LDAP requests<br>
[31/Jan/2014:19:14:12 +0000] - Listening on All Interfaces
port 636 for LDAPS requests<br>
[31/Jan/2014:19:14:12 +0000] - Listening on
/var/run/slapd-BOINGO-COM.socket for LDAPI requests<br>
[31/Jan/2014:19:14:16 +0000] NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389):
Replication bind with GSSAPI auth resumed<br>
[31/Jan/2014:19:15:18 +0000] - slapd shutting down -
signaling operation threads<br>
[31/Jan/2014:19:15:18 +0000] - slapd shutting down - waiting
for 30 threads to terminate<br>
[31/Jan/2014:19:15:18 +0000] - slapd shutting down - closing
down internal subsystems and plugins<br>
[31/Jan/2014:19:15:18 +0000] - Waiting for 4 database
threads to stop<br>
[31/Jan/2014:19:15:18 +0000] - All database threads now
stopped<br>
[31/Jan/2014:19:15:18 +0000] - slapd stopped.<br>
[31/Jan/2014:19:15:23 +0000] - 389-Directory/1.2.11.15
B2013.337.1530 starting up<br>
[31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning:
no entries set up under cn=computers,
cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning:
no entries set up under cn=ng, cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning:
no entries set up under ou=sudoers,dc=boingo,dc=com<br>
[31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition
cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS
Templates found, which should be added before the CoS
Definition.<br>
[31/Jan/2014:19:15:23 +0000] set_krb5_creds - Could not get
initial credentials for principal
[<a class="moz-txt-link-abbreviated" href="mailto:ldap/se-idm-01.boingo.com@BOINGO.COM">ldap/se-idm-01.boingo.com@BOINGO.COM</a>] in keytab
[<a class="moz-txt-link-freetext" href="FILE:/etc/dirsrv/ds.keytab">FILE:/etc/dirsrv/ds.keytab</a>]: -1765328324 (Generic error
(see e-text))<br>
[31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition
cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS
Templates found, which should be added before the CoS
Definition.<br>
[31/Jan/2014:19:15:23 +0000]
slapd_ldap_sasl_interactive_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_495' not
found)) errno 0 (Success)<br>
[31/Jan/2014:19:15:23 +0000] slapi_ldap_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: error
-2 (Local error)<br>
[31/Jan/2014:19:15:23 +0000] NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389):
Replication bind with GSSAPI auth failed: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_495' not
found))<br>
[31/Jan/2014:19:15:23 +0000] - slapd started. Listening on
All Interfaces port 389 for LDAP requests<br>
[31/Jan/2014:19:15:23 +0000] - Listening on All Interfaces
port 636 for LDAPS requests<br>
[31/Jan/2014:19:15:23 +0000] - Listening on
/var/run/slapd-BOINGO-COM.socket for LDAPI requests<br>
[31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:15:25 +0000] NSMMReplicationPlugin -
agmt="cn=meToqatestdc2.boingoqa.local" (qatestdc2:389):
Replication bind with SIMPLE auth failed: LDAP error -11
(Connect error) (TLS error -8179:Peer's Certificate issuer
is not recognized.)<br>
[31/Jan/2014:19:15:25 +0000] - Entry
"cn=meToqatestdc2.boingoqa.local,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mapping
tree,cn=config" -- attribute
"nsDS5ReplicatedAttributeListTotal" not allowed<br>
[31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:15:26 +0000] NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389):
Replication bind with GSSAPI auth resumed<br>
[31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:15:28 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
[31/Jan/2014:19:15:30 +0000] slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error) errno 0
(Success)<br>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>