<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/31/2014 02:14 PM, Todd Maugh
wrote:<br>
</div>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226A71A@EXCHMB1-ELS.BWINC.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">I used the IPA directory manager
password and got no output<br>
<br>
[<a class="moz-txt-link-abbreviated" href="mailto:root@se-idm-01.boingo.com">root@se-idm-01.boingo.com</a> cacerts]$ ldapsearch -LLLx -b
"cn=config" -D "cn=directory manager" -W
'objectclass=nsdswindowsreplicationagreement' dn<br>
Enter LDAP Password: <br>
</div>
</blockquote>
<br>
Very strange. Try this:<br>
ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W
'objectclass=nsds5replicationagreement'<br>
<br>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226A71A@EXCHMB1-ELS.BWINC.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<br>
<br>
<br>
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF866879"><font
color="#000000" face="Tahoma" size="2"><b>From:</b> Todd
Maugh<br>
<b>Sent:</b> Friday, January 31, 2014 1:11 PM<br>
<b>To:</b> Rich Megginson; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> RE: [Freeipa-users] cant create winsync
reolication<br>
</font><br>
</div>
<div>
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">For the second Command I do
not have an account called directory manager, so I do not
have a password<br>
<br>
ldapsearch -LLLx -b "cn=config" -D "cn=directory manager"
-W 'objectclass=nsdswindowsreplicationagreement' dn<br>
Enter LDAP Password: <br>
ldap_bind: Invalid credentials (49)<br>
<br>
<br>
<div style="font-family:Times New Roman; color:#000000;
font-size:16px">
<hr tabindex="-1">
<div id="divRpF734250" style="direction:ltr"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Todd
Maugh [<a class="moz-txt-link-abbreviated" href="mailto:tmaugh@boingo.com">tmaugh@boingo.com</a>]<br>
<b>Sent:</b> Friday, January 31, 2014 12:55 PM<br>
<b>To:</b> Rich Megginson; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] cant create
winsync reolication<br>
</font><br>
</div>
<div>
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt"><br>
<br>
[<a class="moz-txt-link-abbreviated" href="mailto:root@se-idm-01.boingo.com">root@se-idm-01.boingo.com</a> cacerts]$
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/
ldapsearch -LLLx -ZZ -H
<a class="moz-txt-link-freetext" href="ldap://qatestdc2.boingoqa.local">ldap://qatestdc2.boingoqa.local</a> -b "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -W<br>
Enter LDAP Password: <br>
dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local<br>
objectClass: top<br>
objectClass: person<br>
objectClass: organizationalPerson<br>
objectClass: user<br>
cn: IDM ADMIN<br>
givenName: IDMADMIN<br>
distinguishedName: CN=IDM
ADMIN,CN=Users,DC=boingoqa,DC=local<br>
instanceType: 4<br>
whenCreated: 20140128182537.0Z<br>
whenChanged: 20140131014315.0Z<br>
displayName: IDMADMIN<br>
uSNCreated: 31968<br>
memberOf: CN=Domain
Controllers,CN=Users,DC=boingoqa,DC=local<br>
memberOf: CN=Account
Operators,CN=Builtin,DC=boingoqa,DC=local<br>
memberOf: CN=Enterprise
Admins,CN=Users,DC=boingoqa,DC=local<br>
uSNChanged: 38786<br>
name: IDM ADMIN<br>
objectGUID:: jai63JfDvUuOGcURntA7hg==<br>
userAccountControl: 66048<br>
badPwdCount: 0<br>
codePage: 0<br>
countryCode: 0<br>
badPasswordTime: 0<br>
lastLogoff: 0<br>
lastLogon: 0<br>
pwdLastSet: 130356008006093750<br>
primaryGroupID: 513<br>
objectSid:: AQUAAAAAAAUVAAAA0+/GU55mz3h0hQ48RwYAAA==<br>
adminCount: 1<br>
accountExpires: 9223372036854775807<br>
logonCount: 0<br>
sAMAccountName: idmadmin<br>
sAMAccountType: 805306368<br>
userPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:idmadmin@boingoqa.local">idmadmin@boingoqa.local</a><br>
lockoutTime: 0<br>
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local<br>
dSCorePropagationData: 20140129224024.0Z<br>
dSCorePropagationData: 16010101000000.0Z<br>
lastLogonTimestamp: 130356060672110578<br>
<br>
<br>
<div style="font-family:Times New Roman;
color:#000000; font-size:16px">
<hr tabindex="-1">
<div id="divRpF624858" style="direction:ltr"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
Rich Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Friday, January 31, 2014 12:39 PM<br>
<b>To:</b> Todd Maugh; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] cant
create winsync reolication<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">On 01/31/2014 12:16
PM, Todd Maugh wrote:<br>
</div>
<blockquote type="cite">
<style id="owaParaStyle" type="text/css">
<!--
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
-->
BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style>
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">RE:<br>
<br>
<div style="font-family:Times New Roman;
color:#000000; font-size:16px">
<div>I am not sure I was clear. It seems
that you provided the LDAP trace for the
ldapsearch commands you executed above.
I was talking about the DS level logs
for the replica management agreement
establishment and the follow up
replication.<br>
<br>
here is the log tailed while I deleted
teh replication agreement, restarted the
dirsrv and tried to setup the
replication agreement<br>
</div>
</div>
</div>
</blockquote>
<br>
Note that 389 does not use /etc/openldap/cacerts
- it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try
this:<br>
<br>
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN
ldapsearch -LLLx -ZZ -H <a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="UrlBlockedError.aspx" target="_blank">
ldap://qatestdc2.boingoqa.local</a> -b "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -W
<br>
<br>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">
<div style="font-family:Times New Roman;
color:#000000; font-size:16px">
<div><br>
<br>
<br>
[31/Jan/2014:19:07:37 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:08:12 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:08:13 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:08:25 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:10:01 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:11:51 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:11:54 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:12:00 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:12:12 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:12:36 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:13:12 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:13:13 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:13:24 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:13:57 +0000]
NSMMReplicationPlugin - agmt_delete:
begin<br>
[31/Jan/2014:19:14:09 +0000] - slapd
shutting down - signaling operation
threads<br>
[31/Jan/2014:19:14:09 +0000] - slapd
shutting down - waiting for 30 threads
to terminate<br>
[31/Jan/2014:19:14:09 +0000] - slapd
shutting down - closing down internal
subsystems and plugins<br>
[31/Jan/2014:19:14:09 +0000] - Waiting
for 4 database threads to stop<br>
[31/Jan/2014:19:14:09 +0000] - All
database threads now stopped<br>
[31/Jan/2014:19:14:09 +0000] - slapd
stopped.<br>
[31/Jan/2014:19:14:12 +0000] -
389-Directory/1.2.11.15 B2013.337.1530
starting up<br>
[31/Jan/2014:19:14:12 +0000]
schema-compat-plugin - warning: no
entries set up under cn=computers,
cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:14:12 +0000]
schema-compat-plugin - warning: no
entries set up under cn=ng,
cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:14:12 +0000]
schema-compat-plugin - warning: no
entries set up under
ou=sudoers,dc=boingo,dc=com<br>
[31/Jan/2014:19:14:12 +0000] - Skipping
CoS Definition cn=Password
Policy,cn=accounts,dc=boingo,dc=com--no
CoS Templates found, which should be
added before the CoS Definition.<br>
[31/Jan/2014:19:14:12 +0000]
set_krb5_creds - Could not get initial
credentials for principal [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ldap/se-idm-01.boingo.com@BOINGO.COM"
target="_blank">ldap/se-idm-01.boingo.com@BOINGO.COM</a>]
in keytab [<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="UrlBlockedError.aspx"
target="_blank">FILE:/etc/dirsrv/ds.keytab</a>]:
-1765328324 (Generic error (see e-text))<br>
[31/Jan/2014:19:14:12 +0000] - Skipping
CoS Definition cn=Password
Policy,cn=accounts,dc=boingo,dc=com--no
CoS Templates found, which should be
added before the CoS Definition.<br>
[31/Jan/2014:19:14:12 +0000]
slapd_ldap_sasl_interactive_bind -
Error: could not perform interactive
bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more
information (Credentials cache file
'/tmp/krb5cc_495' not found)) errno 0
(Success)<br>
[31/Jan/2014:19:14:12 +0000]
slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech
[GSSAPI]: error -2 (Local error)<br>
[31/Jan/2014:19:14:12 +0000]
NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com"
(se-idm-02:389): Replication bind with
GSSAPI auth failed: LDAP error -2 (Local
error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information
(Credentials cache file
'/tmp/krb5cc_495' not found))<br>
[31/Jan/2014:19:14:12 +0000] - slapd
started. Listening on All Interfaces
port 389 for LDAP requests<br>
[31/Jan/2014:19:14:12 +0000] - Listening
on All Interfaces port 636 for LDAPS
requests<br>
[31/Jan/2014:19:14:12 +0000] - Listening
on /var/run/slapd-BOINGO-COM.socket for
LDAPI requests<br>
[31/Jan/2014:19:14:16 +0000]
NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com"
(se-idm-02:389): Replication bind with
GSSAPI auth resumed<br>
[31/Jan/2014:19:15:18 +0000] - slapd
shutting down - signaling operation
threads<br>
[31/Jan/2014:19:15:18 +0000] - slapd
shutting down - waiting for 30 threads
to terminate<br>
[31/Jan/2014:19:15:18 +0000] - slapd
shutting down - closing down internal
subsystems and plugins<br>
[31/Jan/2014:19:15:18 +0000] - Waiting
for 4 database threads to stop<br>
[31/Jan/2014:19:15:18 +0000] - All
database threads now stopped<br>
[31/Jan/2014:19:15:18 +0000] - slapd
stopped.<br>
[31/Jan/2014:19:15:23 +0000] -
389-Directory/1.2.11.15 B2013.337.1530
starting up<br>
[31/Jan/2014:19:15:23 +0000]
schema-compat-plugin - warning: no
entries set up under cn=computers,
cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:15:23 +0000]
schema-compat-plugin - warning: no
entries set up under cn=ng,
cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:15:23 +0000]
schema-compat-plugin - warning: no
entries set up under
ou=sudoers,dc=boingo,dc=com<br>
[31/Jan/2014:19:15:23 +0000] - Skipping
CoS Definition cn=Password
Policy,cn=accounts,dc=boingo,dc=com--no
CoS Templates found, which should be
added before the CoS Definition.<br>
[31/Jan/2014:19:15:23 +0000]
set_krb5_creds - Could not get initial
credentials for principal [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ldap/se-idm-01.boingo.com@BOINGO.COM"
target="_blank">ldap/se-idm-01.boingo.com@BOINGO.COM</a>]
in keytab [<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="UrlBlockedError.aspx"
target="_blank">FILE:/etc/dirsrv/ds.keytab</a>]:
-1765328324 (Generic error (see e-text))<br>
[31/Jan/2014:19:15:23 +0000] - Skipping
CoS Definition cn=Password
Policy,cn=accounts,dc=boingo,dc=com--no
CoS Templates found, which should be
added before the CoS Definition.<br>
[31/Jan/2014:19:15:23 +0000]
slapd_ldap_sasl_interactive_bind -
Error: could not perform interactive
bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more
information (Credentials cache file
'/tmp/krb5cc_495' not found)) errno 0
(Success)<br>
[31/Jan/2014:19:15:23 +0000]
slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech
[GSSAPI]: error -2 (Local error)<br>
[31/Jan/2014:19:15:23 +0000]
NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com"
(se-idm-02:389): Replication bind with
GSSAPI auth failed: LDAP error -2 (Local
error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information
(Credentials cache file
'/tmp/krb5cc_495' not found))<br>
[31/Jan/2014:19:15:23 +0000] - slapd
started. Listening on All Interfaces
port 389 for LDAP requests<br>
[31/Jan/2014:19:15:23 +0000] - Listening
on All Interfaces port 636 for LDAPS
requests<br>
[31/Jan/2014:19:15:23 +0000] - Listening
on /var/run/slapd-BOINGO-COM.socket for
LDAPI requests<br>
[31/Jan/2014:19:15:25 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:15:25 +0000]
NSMMReplicationPlugin -
agmt="cn=meToqatestdc2.boingoqa.local"
(qatestdc2:389): Replication bind with
SIMPLE auth failed: LDAP error -11
(Connect error) (TLS error -8179:Peer's
Certificate issuer is not recognized.)<br>
[31/Jan/2014:19:15:25 +0000] - Entry
"cn=meToqatestdc2.boingoqa.local,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mapping
tree,cn=config" -- attribute
"nsDS5ReplicatedAttributeListTotal" not
allowed<br>
[31/Jan/2014:19:15:25 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:15:25 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:15:26 +0000]
NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com"
(se-idm-02:389): Replication bind with
GSSAPI auth resumed<br>
[31/Jan/2014:19:15:27 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:15:27 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:15:28 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
[31/Jan/2014:19:15:30 +0000]
slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect
error) errno 0 (Success)<br>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"
target="_blank"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>