<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/31/2014 01:55 PM, Todd Maugh
wrote:<br>
</div>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226A668@EXCHMB1-ELS.BWINC.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;"><br>
<br>
[<a class="moz-txt-link-abbreviated" href="mailto:root@se-idm-01.boingo.com">root@se-idm-01.boingo.com</a> cacerts]$
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx
-ZZ -H <a class="moz-txt-link-freetext" href="ldap://qatestdc2.boingoqa.local">ldap://qatestdc2.boingoqa.local</a> -b "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -W<br>
Enter LDAP Password: <br>
dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local<br>
objectClass: top<br>
objectClass: person<br>
objectClass: organizationalPerson<br>
objectClass: user<br>
cn: IDM ADMIN<br>
givenName: IDMADMIN<br>
distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local<br>
instanceType: 4<br>
whenCreated: 20140128182537.0Z<br>
whenChanged: 20140131014315.0Z<br>
displayName: IDMADMIN<br>
uSNCreated: 31968<br>
memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local<br>
memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local<br>
memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local<br>
uSNChanged: 38786<br>
name: IDM ADMIN<br>
objectGUID:: jai63JfDvUuOGcURntA7hg==<br>
userAccountControl: 66048<br>
badPwdCount: 0<br>
codePage: 0<br>
countryCode: 0<br>
badPasswordTime: 0<br>
lastLogoff: 0<br>
lastLogon: 0<br>
pwdLastSet: 130356008006093750<br>
primaryGroupID: 513<br>
objectSid:: AQUAAAAAAAUVAAAA0+/GU55mz3h0hQ48RwYAAA==<br>
adminCount: 1<br>
accountExpires: 9223372036854775807<br>
logonCount: 0<br>
sAMAccountName: idmadmin<br>
sAMAccountType: 805306368<br>
userPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:idmadmin@boingoqa.local">idmadmin@boingoqa.local</a><br>
lockoutTime: 0<br>
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local<br>
dSCorePropagationData: 20140129224024.0Z<br>
dSCorePropagationData: 16010101000000.0Z<br>
lastLogonTimestamp: 130356060672110578<br>
</div>
</blockquote>
<br>
I'd like to look at the debug output, so try this:<br>
<br>
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1
-LLLx -ZZ -H <a class="moz-txt-link-freetext" href="ldap://qatestdc2.boingoqa.local">ldap://qatestdc2.boingoqa.local</a> -b "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn<br>
<br>
The 389 errors log indicates "cannot connect" which usually means
some sort of SSL error. Unfortunately the logging leaves something
to be desired in the way of information necessary to diagnose and
fix the problem.<br>
<br>
If that doesn't help, let's take a look at your winsync agreement
configuration:<br>
<br>
ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W
'objectclass=nsdswindowsreplicationagreement' dn<br>
<br>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226A668@EXCHMB1-ELS.BWINC.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<br>
<br>
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF624858"><font
color="#000000" face="Tahoma" size="2"><b>From:</b> Rich
Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Friday, January 31, 2014 12:39 PM<br>
<b>To:</b> Todd Maugh; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] cant create winsync
reolication<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">On 01/31/2014 12:16 PM, Todd
Maugh wrote:<br>
</div>
<blockquote type="cite">
<style id="owaParaStyle" type="text/css">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style>
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">RE:<br>
<br>
<div style="font-family:Times New Roman; color:#000000;
font-size:16px">
<div>I am not sure I was clear. It seems that you
provided the LDAP trace for the ldapsearch commands
you executed above. I was talking about the DS level
logs for the replica management agreement
establishment and the follow up replication.<br>
<br>
here is the log tailed while I deleted teh
replication agreement, restarted the dirsrv and
tried to setup the replication agreement<br>
</div>
</div>
</div>
</blockquote>
<br>
Note that 389 does not use /etc/openldap/cacerts - it uses
/etc/dirsrv/slapd-YOUR-DOMAIN, so try this:<br>
<br>
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch
-LLLx -ZZ -H <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="UrlBlockedError.aspx"
target="_blank">
ldap://qatestdc2.boingoqa.local</a> -b "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -W
<br>
<br>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">
<div style="font-family:Times New Roman; color:#000000;
font-size:16px">
<div><br>
<br>
<br>
[31/Jan/2014:19:07:37 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:08:12 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:08:13 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:08:25 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:10:01 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:11:51 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:11:54 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:12:00 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:12:12 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:12:36 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:13:12 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:13:13 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:13:24 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:13:57 +0000] NSMMReplicationPlugin -
agmt_delete: begin<br>
[31/Jan/2014:19:14:09 +0000] - slapd shutting down -
signaling operation threads<br>
[31/Jan/2014:19:14:09 +0000] - slapd shutting down -
waiting for 30 threads to terminate<br>
[31/Jan/2014:19:14:09 +0000] - slapd shutting down -
closing down internal subsystems and plugins<br>
[31/Jan/2014:19:14:09 +0000] - Waiting for 4
database threads to stop<br>
[31/Jan/2014:19:14:09 +0000] - All database threads
now stopped<br>
[31/Jan/2014:19:14:09 +0000] - slapd stopped.<br>
[31/Jan/2014:19:14:12 +0000] -
389-Directory/1.2.11.15 B2013.337.1530 starting up<br>
[31/Jan/2014:19:14:12 +0000] schema-compat-plugin -
warning: no entries set up under cn=computers,
cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:14:12 +0000] schema-compat-plugin -
warning: no entries set up under cn=ng,
cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:14:12 +0000] schema-compat-plugin -
warning: no entries set up under
ou=sudoers,dc=boingo,dc=com<br>
[31/Jan/2014:19:14:12 +0000] - Skipping CoS
Definition cn=Password
Policy,cn=accounts,dc=boingo,dc=com--no CoS
Templates found, which should be added before the
CoS Definition.<br>
[31/Jan/2014:19:14:12 +0000] set_krb5_creds - Could
not get initial credentials for principal [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ldap/se-idm-01.boingo.com@BOINGO.COM"
target="_blank">ldap/se-idm-01.boingo.com@BOINGO.COM</a>]
in keytab [<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="UrlBlockedError.aspx" target="_blank">FILE:/etc/dirsrv/ds.keytab</a>]:
-1765328324 (Generic error (see e-text))<br>
[31/Jan/2014:19:14:12 +0000] - Skipping CoS
Definition cn=Password
Policy,cn=accounts,dc=boingo,dc=com--no CoS
Templates found, which should be added before the
CoS Definition.<br>
[31/Jan/2014:19:14:12 +0000]
slapd_ldap_sasl_interactive_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]:
LDAP error -2 (Local error) (SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials
cache file '/tmp/krb5cc_495' not found)) errno 0
(Success)<br>
[31/Jan/2014:19:14:12 +0000] slapi_ldap_bind -
Error: could not perform interactive bind for id []
mech [GSSAPI]: error -2 (Local error)<br>
[31/Jan/2014:19:14:12 +0000] NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389):
Replication bind with GSSAPI auth failed: LDAP error
-2 (Local error) (SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may
provide more information (Credentials cache file
'/tmp/krb5cc_495' not found))<br>
[31/Jan/2014:19:14:12 +0000] - slapd started.
Listening on All Interfaces port 389 for LDAP
requests<br>
[31/Jan/2014:19:14:12 +0000] - Listening on All
Interfaces port 636 for LDAPS requests<br>
[31/Jan/2014:19:14:12 +0000] - Listening on
/var/run/slapd-BOINGO-COM.socket for LDAPI requests<br>
[31/Jan/2014:19:14:16 +0000] NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389):
Replication bind with GSSAPI auth resumed<br>
[31/Jan/2014:19:15:18 +0000] - slapd shutting down -
signaling operation threads<br>
[31/Jan/2014:19:15:18 +0000] - slapd shutting down -
waiting for 30 threads to terminate<br>
[31/Jan/2014:19:15:18 +0000] - slapd shutting down -
closing down internal subsystems and plugins<br>
[31/Jan/2014:19:15:18 +0000] - Waiting for 4
database threads to stop<br>
[31/Jan/2014:19:15:18 +0000] - All database threads
now stopped<br>
[31/Jan/2014:19:15:18 +0000] - slapd stopped.<br>
[31/Jan/2014:19:15:23 +0000] -
389-Directory/1.2.11.15 B2013.337.1530 starting up<br>
[31/Jan/2014:19:15:23 +0000] schema-compat-plugin -
warning: no entries set up under cn=computers,
cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:15:23 +0000] schema-compat-plugin -
warning: no entries set up under cn=ng,
cn=compat,dc=boingo,dc=com<br>
[31/Jan/2014:19:15:23 +0000] schema-compat-plugin -
warning: no entries set up under
ou=sudoers,dc=boingo,dc=com<br>
[31/Jan/2014:19:15:23 +0000] - Skipping CoS
Definition cn=Password
Policy,cn=accounts,dc=boingo,dc=com--no CoS
Templates found, which should be added before the
CoS Definition.<br>
[31/Jan/2014:19:15:23 +0000] set_krb5_creds - Could
not get initial credentials for principal [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ldap/se-idm-01.boingo.com@BOINGO.COM"
target="_blank">ldap/se-idm-01.boingo.com@BOINGO.COM</a>]
in keytab [<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="UrlBlockedError.aspx" target="_blank">FILE:/etc/dirsrv/ds.keytab</a>]:
-1765328324 (Generic error (see e-text))<br>
[31/Jan/2014:19:15:23 +0000] - Skipping CoS
Definition cn=Password
Policy,cn=accounts,dc=boingo,dc=com--no CoS
Templates found, which should be added before the
CoS Definition.<br>
[31/Jan/2014:19:15:23 +0000]
slapd_ldap_sasl_interactive_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]:
LDAP error -2 (Local error) (SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials
cache file '/tmp/krb5cc_495' not found)) errno 0
(Success)<br>
[31/Jan/2014:19:15:23 +0000] slapi_ldap_bind -
Error: could not perform interactive bind for id []
mech [GSSAPI]: error -2 (Local error)<br>
[31/Jan/2014:19:15:23 +0000] NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389):
Replication bind with GSSAPI auth failed: LDAP error
-2 (Local error) (SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may
provide more information (Credentials cache file
'/tmp/krb5cc_495' not found))<br>
[31/Jan/2014:19:15:23 +0000] - slapd started.
Listening on All Interfaces port 389 for LDAP
requests<br>
[31/Jan/2014:19:15:23 +0000] - Listening on All
Interfaces port 636 for LDAPS requests<br>
[31/Jan/2014:19:15:23 +0000] - Listening on
/var/run/slapd-BOINGO-COM.socket for LDAPI requests<br>
[31/Jan/2014:19:15:25 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:15:25 +0000] NSMMReplicationPlugin -
agmt="cn=meToqatestdc2.boingoqa.local"
(qatestdc2:389): Replication bind with SIMPLE auth
failed: LDAP error -11 (Connect error) (TLS error
-8179:Peer's Certificate issuer is not recognized.)<br>
[31/Jan/2014:19:15:25 +0000] - Entry
"cn=meToqatestdc2.boingoqa.local,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mapping
tree,cn=config" -- attribute
"nsDS5ReplicatedAttributeListTotal" not allowed<br>
[31/Jan/2014:19:15:25 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:15:25 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:15:26 +0000] NSMMReplicationPlugin -
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389):
Replication bind with GSSAPI auth resumed<br>
[31/Jan/2014:19:15:27 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:15:27 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:15:28 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
[31/Jan/2014:19:15:30 +0000] slapi_ldap_bind -
Error: could not send startTLS request: error -11
(Connect error) errno 0 (Success)<br>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader" target="_blank"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>