<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 08/31/2016 12:39 PM, Andrey Rogovsky
wrote:<br>
</div>
<blockquote
cite="mid:CAM+V3zLU1PNU-9z2A=7q0dZkq7LWpHV24n9g+_gAk4xBDjwMaw@mail.gmail.com"
type="cite">
<div dir="ltr">Hi, Mark!
<div><br>
</div>
<div>Thanks for explain. Now I create replication manager: (I
hope)</div>
<div>
<div>[root@ldap1 ~]# ldapsearch -h <a moz-do-not-send="true"
href="http://ldap1.example.com">ldap1.example.com</a> -p
389 -xLLL -D "cn=directory manager" -W -b cn=config
"cn=replication manager"</div>
<div>Enter LDAP Password: </div>
<div>dn: cn=replication manager,cn=config</div>
<div>objectClass: inetorgperson</div>
<div>objectClass: person</div>
<div>objectClass: top</div>
<div>objectClass: organizationalPerson</div>
<div>cn: replication manager</div>
<div>sn: RM</div>
<div>userPassword::
e1NTSEF9N1JiRmNXWTFXNDA1cmdYSUdCNWJtV3RzOElNQXBhakhXam94WlE9PQ=</div>
<div> =</div>
</div>
<div><br>
</div>
<div>What is next? I use manual from 8 version and this a bit
obsoleted.</div>
</div>
</blockquote>
Now you should be able to initialize your standalone server by
updating the agreement on the ipa DS:<br>
<br>
<div class="gmail_extra">dn: cn=ExampleAgreement,cn=<wbr>replica,cn="dc=example,dc=com"<wbr>,cn=mapping
tree,cn=config</div>
<div class="gmail_extra">changetype: modify</div>
<div class="gmail_extra">replace: nsds5beginreplicarefresh</div>
nsds5beginreplicarefresh: start<br>
<br>
If something goes wrong let us know what's in the errors log again.<br>
<br>
Mark<br>
<blockquote
cite="mid:CAM+V3zLU1PNU-9z2A=7q0dZkq7LWpHV24n9g+_gAk4xBDjwMaw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-08-31 19:30 GMT+03:00 Mark
Reynolds <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mareynol@redhat.com" target="_blank">mareynol@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Andrey,</p>
<p>It looks like you still did not create the replication
manager entry. You must create that manager entry on
the standalone server. Please read the link I sent you:</p>
<p><a moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html"
target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Direct<wbr>ory_Server/10/html/Administrat<wbr>ion_Guide/Creating_the_<wbr>Supplier_Bind_DN_Entry.html</a></p>
<p>You can verify its existence by doing this search
against the standalone server:</p>
<p>ldapsearch -h <a moz-do-not-send="true"
href="http://ldap1.example.com" target="_blank">ldap1.example.com</a>
-p 389 -xLLL -D "cn=directory manager" -W -b cn=config
"cn=replication manager"<span class="HOEnZb"><font
color="#888888"><br>
</font></span></p>
<span class="HOEnZb"><font color="#888888">
<p>Mark<br>
</p>
</font></span>
<div>
<div class="h5">
<p><br>
</p>
<div>On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi!
<div>Thank you for fast reply.</div>
<div>Yes, I want use standalone 389DS to replica
from FreeIPA.</div>
<div>There is my replica:</div>
<div>
<div>filter: (objectclass=nsds5replica)</div>
<div>requesting: All userApplication attributes</div>
<div># extended LDIF</div>
<div>#</div>
<div># LDAPv3</div>
<div># base <cn=config> with scope subtree</div>
<div># filter: (objectclass=nsds5replica)</div>
<div># requesting: ALL</div>
<div>#</div>
<div><br>
</div>
<div># replica, dc\3Dexample\2Cdc\3Dcom, mapping
tree, config</div>
<div>dn: cn=replica,cn=dc\3Dexample\<wbr>2Cdc\3Dcom,cn=mapping
tree,cn=config</div>
<div>objectClass: top</div>
<div>objectClass: nsds5replica</div>
<div>objectClass: extensibleObject</div>
<div>cn: replica</div>
<div>nsDS5ReplicaRoot: dc=example,dc=com</div>
<div>nsDS5ReplicaId: 7</div>
<div>nsDS5ReplicaType: 3</div>
<div>nsDS5Flags: 1</div>
<div>nsds5ReplicaPurgeDelay: 604800</div>
<div>nsDS5ReplicaBindDN: cn=replication
manager,cn=config</div>
<div>nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAA<wbr>AAAAAAAAAAAAABAAAAAAAAAA==</div>
<div>nsDS5ReplicaName:
496dba82-6f7a11e6-9d5ba359-<wbr>5196ffe4</div>
<div>nsds5ReplicaChangeCount: 22</div>
<div>nsds5replicareapactive: 0</div>
<div><br>
</div>
<div># search result</div>
<div>search: 2</div>
<div>result: 0 Success</div>
<div><br>
</div>
<div># numResponses: 2</div>
<div># numEntries: 1</div>
</div>
<div><br>
</div>
<div>So, my replica have entry "cn=replication
manager"<br>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">But I try add entry in
agreement. Unforthunalty this is not help,
error is present:</div>
<div class="gmail_extra">
<div class="gmail_extra">[root@ldap1 ~]#
ldapmodify -v -h <a moz-do-not-send="true"
href="http://ldap1.example.com"
target="_blank">ldap1.example.com</a> -p
389 -D "cn=directory manager" -w ...</div>
<div class="gmail_extra">ldap_initialize( <a
moz-do-not-send="true">ldap://</a><a
moz-do-not-send="true"
href="http://ldap1.example.com:389"
target="_blank">ldap1.example.com:389</a>
)</div>
<div class="gmail_extra">dn:
cn=ExampleAgreement,cn=<wbr>replica,cn="dc=example,dc=com"<wbr>,cn=mapping
tree,cn=config</div>
<div class="gmail_extra">changetype: modify</div>
<div class="gmail_extra">replace:
nsds5ReplicaBindDN</div>
<div class="gmail_extra">nsds5ReplicaBindDN:
cn=replication manager,cn=config</div>
<div class="gmail_extra">replace
nsds5ReplicaBindDN:</div>
<div class="gmail_extra">
cn=replication manager,cn=config</div>
<div class="gmail_extra">modifying entry
"cn=ExampleAgreement,cn=<wbr>replica,cn="dc=example,dc=com"<wbr>,cn=mapping
tree,cn=config"</div>
<div class="gmail_extra">modify complete</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">[root@ldap1 ~]# tail
-f /var/log/dirsrv/slapd-EXAMPLE-<wbr>COM/errors</div>
<div class="gmail_extra">[31/Aug/2016:11:11:09
+0000] schema-compat-plugin -
schema-compat-plugin tree scan will start in
about 5 seconds!</div>
<div class="gmail_extra">[31/Aug/2016:11:11:09
+0000] - slapd started. Listening on All
Interfaces port 389 for LDAP requests</div>
<div class="gmail_extra">[31/Aug/2016:11:11:09
+0000] - Listening on All Interfaces port
636 for LDAPS requests</div>
<div class="gmail_extra">[31/Aug/2016:11:11:09
+0000] - Listening on
/var/run/slapd-EXAMPLE-COM.<wbr>socket for
LDAPI requests</div>
<div class="gmail_extra">[31/Aug/2016:11:11:13
+0000] schema-compat-plugin - warning: no
entries set up under
ou=sudoers,dc=example,dc=com</div>
<div class="gmail_extra">[31/Aug/2016:11:11:14
+0000] schema-compat-plugin - warning: no
entries set up under cn=ng,
cn=compat,dc=example,dc=com</div>
<div class="gmail_extra">[31/Aug/2016:11:11:14
+0000] schema-compat-plugin - warning: no
entries set up under cn=computers,
cn=compat,dc=example,dc=com</div>
<div class="gmail_extra">[31/Aug/2016:11:11:14
+0000] schema-compat-plugin - Finished
plugin initialization.</div>
<div class="gmail_extra">[31/Aug/2016:13:38:01
+0000] slapi_ldap_bind - Error: could not
bind id [cn=replication manager]
authentication mechanism [SIMPLE]: error 32
(No such object) errno 0 (Success)</div>
<div class="gmail_extra">[31/Aug/2016:13:38:01
+0000] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389):
Replication bind with SIMPLE auth failed:
LDAP error 32 (No such object) ()</div>
<div class="gmail_extra">^C</div>
<div class="gmail_extra">[root@ldap1 ~]#
ldapmodify -v -h <a moz-do-not-send="true"
href="http://ldap1.example.com"
target="_blank">ldap1.example.com</a> -p
389 -D "cn=directory manager" -w ...</div>
<div class="gmail_extra">ldap_initialize( <a
moz-do-not-send="true">ldap://</a><a
moz-do-not-send="true"
href="http://ldap1.example.com:389"
target="_blank">ldap1.example.com:389</a>
)</div>
<div class="gmail_extra">dn:
cn=ExampleAgreement,cn=<wbr>replica,cn="dc=example,dc=com"<wbr>,cn=mapping
tree,cn=config</div>
<div class="gmail_extra">changetype: modify</div>
<div class="gmail_extra">replace:
nsds5beginreplicarefresh</div>
<div class="gmail_extra">nsds5beginreplicarefresh:
start</div>
<div class="gmail_extra">replace
nsds5beginreplicarefresh:</div>
<div class="gmail_extra"> start</div>
<div class="gmail_extra">modifying entry
"cn=ExampleAgreement,cn=<wbr>replica,cn="dc=example,dc=com"<wbr>,cn=mapping
tree,cn=config"</div>
<div class="gmail_extra">modify complete</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">[root@ldap1 ~]# tail
-f /var/log/dirsrv/slapd-EXAMPLE-<wbr>COM/errors</div>
<div class="gmail_extra">[31/Aug/2016:11:11:09
+0000] - slapd started. Listening on All
Interfaces port 389 for LDAP requests</div>
<div class="gmail_extra">[31/Aug/2016:11:11:09
+0000] - Listening on All Interfaces port
636 for LDAPS requests</div>
<div class="gmail_extra">[31/Aug/2016:11:11:09
+0000] - Listening on
/var/run/slapd-EXAMPLE-COM.<wbr>socket for
LDAPI requests</div>
<div class="gmail_extra">[31/Aug/2016:11:11:13
+0000] schema-compat-plugin - warning: no
entries set up under
ou=sudoers,dc=example,dc=com</div>
<div class="gmail_extra">[31/Aug/2016:11:11:14
+0000] schema-compat-plugin - warning: no
entries set up under cn=ng,
cn=compat,dc=example,dc=com</div>
<div class="gmail_extra">[31/Aug/2016:11:11:14
+0000] schema-compat-plugin - warning: no
entries set up under cn=computers,
cn=compat,dc=example,dc=com</div>
<div class="gmail_extra">[31/Aug/2016:11:11:14
+0000] schema-compat-plugin - Finished
plugin initialization.</div>
<div class="gmail_extra">[31/Aug/2016:13:38:01
+0000] slapi_ldap_bind - Error: could not
bind id [cn=replication manager]
authentication mechanism [SIMPLE]: error 32
(No such object) errno 0 (Success)</div>
<div class="gmail_extra">[31/Aug/2016:13:38:01
+0000] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389):
Replication bind with SIMPLE auth failed:
LDAP error 32 (No such object) ()</div>
<div class="gmail_extra">[31/Aug/2016:15:48:36
+0000] slapi_ldap_bind - Error: could not
bind id [cn=replication manager,cn=config]
authentication mechanism [SIMPLE]: error 32
(No such object) errno 0 (Success)</div>
<div class="gmail_extra">^C</div>
<div class="gmail_extra">[root@ldap1 ~]# </div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-08-31 18:15
GMT+03:00 Mark Reynolds <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mareynol@redhat.com"
target="_blank">mareynol@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div>
<div>
<p><br>
</p>
<br>
<div>On 08/31/2016 09:50 AM, Andrey
Rogovsky wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi!
<div><br>
</div>
<div>I try configure manual
replica from FreeIPA DS to 389
DS.</div>
<div>I have two VM: <a
moz-do-not-send="true"
href="http://ldap1.example.com"
target="_blank">ldap1.example.com</a>
and <a moz-do-not-send="true"
href="http://ldap2.example.com" target="_blank">ldap2.example.com</a></div>
<div>I was used this manual <a
moz-do-not-send="true"
href="https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html"
target="_blank">https://www.centos.org/<wbr>docs/5/html/CDS/ag/8.0/Managin<wbr>g_Replication-Configuring-<wbr>Replication-cmd.html</a>
for configure relica</div>
<div><br>
</div>
<div>There was replica agreement
before starting:</div>
<div><br>
</div>
<div>
<div># extended LDIF</div>
<div>#</div>
<div># LDAPv3</div>
<div># base <cn=config>
with scope subtree</div>
<div># filter:
(objectclass=nsds5ReplicationA<wbr>greement)</div>
<div># requesting: ALL</div>
<div>#</div>
<div><br>
</div>
<div># ExampleAgreement,
replica,
dc\3Dexample\2Cdc\3Dcom,
mapping tree, config</div>
<div>dn:
cn=ExampleAgreement,cn=replica<wbr>,cn=dc\3Dexample\2Cdc\3Dcom,<wbr>cn=mapping
tree,</div>
<div> cn=config</div>
<div>objectClass: top</div>
<div>objectClass:
nsds5replicationagreement</div>
<div>cn: ExampleAgreement</div>
<div>nsDS5ReplicaHost: ldap2</div>
<div>nsDS5ReplicaPort: 389</div>
<div>nsDS5ReplicaBindDN:
cn=replication manager</div>
<div>nsDS5ReplicaBindMethod:
SIMPLE</div>
<div>nsDS5ReplicaRoot:
dc=example,dc=com</div>
<div>description: agreement
between supplier1 and
consumer1</div>
<div>nsDS5ReplicaUpdateSchedule:
0000-0500 1</div>
<div>nsDS5ReplicatedAttributeList:
(objectclass=*) $ EXCLUDE
authorityRevocationLis</div>
<div> t</div>
<div>nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQ<wbr>m1NRVVHQ1NxR1NJYjNEUUVG</div>
<div> RERBNEJDUmxPVFl4TlRsbU5DMWtaV<wbr>0UyTXpZeA0KTVMxaU1UYzFaREF3Wmk<wbr>wek5qRmxNalkxWkFBQ</div>
<div> 0FRSUNBU0F3Q2dZSUtvWklodmNOQW<wbr>djd0hRWUpZSVpJQVdVRA0KQkFFcUJC<wbr>QUVJckpINmE0S3RFYl</div>
<div> NhLzkxL01qZg==}Wo+c0XfBnaDhg/<wbr>a36yguXg==</div>
<div>nsds5replicareapactive: 0</div>
<div>nsds5replicaLastUpdateStart:
19700101000000Z</div>
<div>nsds5replicaLastUpdateEnd:
19700101000000Z</div>
<div>nsds5replicaChangesSentSinceSt<wbr>artup:</div>
<div>nsds5replicaLastUpdateStatus:
0 No replication sessions
started since server s</div>
<div> tartup</div>
<div>nsds5replicaUpdateInProgress:
FALSE</div>
<div>nsds5replicaLastInitStart:
19700101000000Z</div>
<div>nsds5replicaLastInitEnd:
19700101000000Z</div>
<div><br>
</div>
<div># search result</div>
<div>search: 2</div>
<div>result: 0 Success</div>
<div><br>
</div>
<div># numResponses: 2</div>
<div># numEntries: </div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>There is errors which I get
when start replica:</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>[root@ldap1 ~]#
ldapmodify -v -h <a
moz-do-not-send="true"
href="http://ldap1.example.com"
target="_blank">ldap1.example.com</a>
-p 389 -D "cn=directory
manager" -w ...</div>
<div>ldap_initialize( <a
moz-do-not-send="true">ldap://</a><a
moz-do-not-send="true"
href="http://ldap1.example.com:389"
target="_blank">ldap1.example.com:389</a>
)</div>
<div>dn:
cn=ExampleAgreement,cn=replica<wbr>,cn="dc=example,dc=com",cn=<wbr>mapping
tree,cn=config</div>
<div>changetype: modify</div>
<div>replace:
nsds5beginreplicarefresh</div>
<div>nsds5beginreplicarefresh:
start</div>
<div>replace
nsds5beginreplicarefresh:</div>
<div> start</div>
<div>modifying entry
"cn=ExampleAgreement,cn=replic<wbr>a,cn="dc=example,dc=com",cn=<wbr>mapping
tree,cn=config"</div>
<div>modify complete</div>
<div><br>
</div>
<div>[root@ldap1 ~]# tail -f
/var/log/dirsrv/slapd-EXAMPLE-<wbr>COM/errors</div>
<div>[31/Aug/2016:11:11:09
+0000] schema-compat-plugin
- schema-compat-plugin tree
scan will start in about 5
seconds!</div>
<div>[31/Aug/2016:11:11:09
+0000] - slapd started.
Listening on All Interfaces
port 389 for LDAP requests</div>
<div>[31/Aug/2016:11:11:09
+0000] - Listening on All
Interfaces port 636 for
LDAPS requests</div>
<div>[31/Aug/2016:11:11:09
+0000] - Listening on
/var/run/slapd-EXAMPLE-COM.soc<wbr>ket
for LDAPI requests</div>
<div>[31/Aug/2016:11:11:13
+0000] schema-compat-plugin
- warning: no entries set up
under
ou=sudoers,dc=example,dc=com</div>
<div>[31/Aug/2016:11:11:14
+0000] schema-compat-plugin
- warning: no entries set up
under cn=ng,
cn=compat,dc=example,dc=com</div>
<div>[31/Aug/2016:11:11:14
+0000] schema-compat-plugin
- warning: no entries set up
under cn=computers,
cn=compat,dc=example,dc=com</div>
<div>[31/Aug/2016:11:11:14
+0000] schema-compat-plugin
- Finished plugin
initialization.</div>
<div>[31/Aug/2016:13:38:01
+0000] slapi_ldap_bind -
Error: could not bind id
[cn=replication manager]
authentication mechanism
[SIMPLE]: error 32 (No such
object) errno 0 (Success)</div>
<div>[31/Aug/2016:13:38:01
+0000] NSMMReplicationPlugin
- agmt="cn=ExampleAgreement"
(ldap2:389): Replication
bind with SIMPLE auth
failed: LDAP error 32 (No
such object) ()</div>
<div>^C</div>
</div>
</div>
</blockquote>
</div>
</div>
I'm assuming this is just a standalone
389 Directory Server you are trying to
replicate to(not a freeIPA
installation). If it is a freeipa
installation, then you should use the
freeipa CLI for setting up replication.<br>
<br>
The error 32 (no such object) you are
getting is because the replica does not
have an entry "cn=replication manager".
Looking at the replication agreement:<br>
<br>
nsDS5ReplicaBindDN: cn=replication
manager<br>
<br>
This is not a valid DN as there is no
base suffix: For example, I would
expect to see something like
"cn=replication manager,cn=config"<br>
<br>
<a moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html"
target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Direct<wbr>ory_Server/10/html/Administrat<wbr>ion_Guide/Creating_the_<wbr>Supplier_Bind_DN_Entry.html</a><br>
<br>
Regards,<br>
Mark<span><br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Please help me fix this</div>
<div><br>
</div>
<div><span
style="font-size:medium;line-height:32px"><br>
</span></div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</span></div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>