Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Alexander Bokovoy Wed, 31 Aug 2016 21:20:07 -0700

On Thu, 01 Sep 2016, Andrey Rogovsky wrote:

Hi!
Thanks for your advices!
I'm try start replica and get this errors in log:
[01/Sep/2016:03:24:23 +0000] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
[01/Sep/2016:03:24:23 +0000] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()

You've been told already that you should have replication manager object
created at both sides. Your 'cn=replicaton manager,cn=config' does not
exist at the replica.


You should read RHDS Administration Guide, at least the part about
supplier bind DN entry, but preferrably the whole chapter it is part of:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html


This is my current replica:
filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=nsds5replica)
# requesting: ALL
#

# replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaId: 7
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsState:: BwAAAAAAAADqnMdXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
nsds5ReplicaChangeCount: 118
nsds5replicareapactive: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This is my current agreement:

# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=nsds5ReplicationAgreement)
# requesting: ALL
#

# ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,
cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: ExampleAgreement
nsDS5ReplicaHost: ldap2
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=example,dc=com
description: agreement between supplier1 and consumer1
nsDS5ReplicaUpdateSchedule: 0000-0500 1
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
authorityRevocationLis
t
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQU1Dc25vTkVzZVJ4b3
N2WVlEMXRpbQ==}a21h3uqnbcAZ1cX+NheCeg==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 19700101000000Z
nsds5replicaLastUpdateEnd: 19700101000000Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 No replication sessions started since
server s
tartup
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20160901032423Z
nsds5replicaLastInitEnd: 19700101000000Z
nsds5replicaLastInitStatus: 32  - LDAP error: No such object

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I'm try delete agreement, replica, user, changelog and create again. This
not help, same error:

[01/Sep/2016:03:42:37 +0000] NSMMReplicationPlugin - agmt_delete: begin
[01/Sep/2016:03:45:35 +0000] NSMMReplicationPlugin - replica_config_delete:
Warning: The changelog for replica dc=example,dc=com is no longer valid
since the replica config is being deleted.  Removing the changelog.
[01/Sep/2016:03:53:18 +0000] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
[01/Sep/2016:03:53:18 +0000] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()



2016-08-31 20:09 GMT+03:00 Mark Reynolds <[email protected]>:



On 08/31/2016 12:39 PM, Andrey Rogovsky wrote:

Hi, Mark!

Thanks for explain. Now I create replication manager: (I hope)
[root@ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D
"cn=directory manager" -W -b cn=config "cn=replication manager"
Enter LDAP Password:
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword:: e1NTSEF9N1JiRmNXWTFXNDA1cmdYSU
dCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
 =

What is next? I use manual from 8 version and this a bit obsoleted.

Now you should be able to initialize your standalone server by updating
the agreement on the ipa DS:

dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config
changetype: modify
replace: nsds5beginreplicarefresh
nsds5beginreplicarefresh: start

If something goes wrong let us know what's in the errors log again.

Mark



2016-08-31 19:30 GMT+03:00 Mark Reynolds <[email protected]>:

Hi Andrey,

It looks like you still did not create the replication manager entry.
You must create that manager entry on the standalone server.  Please read
the link I sent you:

https://access.redhat.com/documentation/en-US/Red_Hat_Direct
ory_Server/10/html/Administration_Guide/Creating_the_Supplie
r_Bind_DN_Entry.html

You can verify its existence by doing this search against the standalone
server:

ldapsearch -h ldap1.example.com -p 389 -xLLL -D "cn=directory manager"
-W -b cn=config "cn=replication manager"

Mark


On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:

Hi!
Thank you for fast reply.
Yes, I want use standalone 389DS to replica from FreeIPA.
There is my replica:
filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=nsds5replica)
# requesting: ALL
#

# replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaId: 7
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
nsds5ReplicaChangeCount: 22
nsds5replicareapactive: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So, my replica have entry "cn=replication manager"

But I try add entry in agreement. Unforthunalty this is not help, error
is present:
[root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com -p 389 -D
"cn=directory manager" -w ...
ldap_initialize( ldap://ldap1.example.com:389 )
dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config
changetype: modify
replace: nsds5ReplicaBindDN
nsds5ReplicaBindDN: cn=replication manager,cn=config
replace nsds5ReplicaBindDN:
        cn=replication manager,cn=config
modifying entry "cn=ExampleAgreement,cn=replic
a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
modify complete

[root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
[31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin
tree scan will start in about 5 seconds!
[31/Aug/2016:11:11:09 +0000] - slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
LDAPS requests
[31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket
for LDAPI requests
[31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
set up under ou=sudoers,dc=example,dc=com
[31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
set up under cn=ng, cn=compat,dc=example,dc=com
[31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
set up under cn=computers, cn=compat,dc=example,dc=com
[31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
initialization.
[31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
[cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
such object) errno 0 (Success)
[31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()
^C
[root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com -p 389 -D
"cn=directory manager" -w ...
ldap_initialize( ldap://ldap1.example.com:389 )
dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config
changetype: modify
replace: nsds5beginreplicarefresh
nsds5beginreplicarefresh: start
replace nsds5beginreplicarefresh:
        start
modifying entry "cn=ExampleAgreement,cn=replic
a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
modify complete

[root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
[31/Aug/2016:11:11:09 +0000] - slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
LDAPS requests
[31/Aug/2016:11:11:09 +0000] - Listening on /var/run/slapd-EXAMPLE-COM.socket
for LDAPI requests
[31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
set up under ou=sudoers,dc=example,dc=com
[31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
set up under cn=ng, cn=compat,dc=example,dc=com
[31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
set up under cn=computers, cn=compat,dc=example,dc=com
[31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
initialization.
[31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
[cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
such object) errno 0 (Success)
[31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()
[31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
^C
[root@ldap1 ~]#


2016-08-31 18:15 GMT+03:00 Mark Reynolds <[email protected]>:



On 08/31/2016 09:50 AM, Andrey Rogovsky wrote:

Hi!

I try configure manual replica from FreeIPA DS to 389 DS.
I have two VM: ldap1.example.com and ldap2.example.com
I was used this manual https://www.centos.org/
docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Repl
ication-cmd.html for configure relica

There was replica agreement before starting:

# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=nsds5ReplicationAgreement)
# requesting: ALL
#

# ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree,
config
dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,
 cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: ExampleAgreement
nsDS5ReplicaHost: ldap2
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=replication manager
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=example,dc=com
description: agreement between supplier1 and consumer1
nsDS5ReplicaUpdateSchedule: 0000-0500 1
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
authorityRevocationLis
 t
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQ
m1NRVVHQ1NxR1NJYjNEUUVG
 RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmk
wek5qRmxNalkxWkFBQ
 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJC
QUVJckpINmE0S3RFYl
 NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 19700101000000Z
nsds5replicaLastUpdateEnd: 19700101000000Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 No replication sessions started since
server s
 tartup
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries:


There is errors which I get when start replica:


[root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com -p 389 -D
"cn=directory manager" -w ...
ldap_initialize( ldap://ldap1.example.com:389 )
dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config
changetype: modify
replace: nsds5beginreplicarefresh
nsds5beginreplicarefresh: start
replace nsds5beginreplicarefresh:
        start
modifying entry "cn=ExampleAgreement,cn=replic
a,cn="dc=example,dc=com",cn=mapping tree,cn=config"
modify complete

[root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
[31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin
tree scan will start in about 5 seconds!
[31/Aug/2016:11:11:09 +0000] - slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for
LDAPS requests
[31/Aug/2016:11:11:09 +0000] - Listening on
/var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
[31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries
set up under ou=sudoers,dc=example,dc=com
[31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
set up under cn=ng, cn=compat,dc=example,dc=com
[31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries
set up under cn=computers, cn=compat,dc=example,dc=com
[31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin
initialization.
[31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id
[cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
such object) errno 0 (Success)
[31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()
^C

I'm assuming this is just a standalone 389 Directory Server you are
trying to replicate to(not a freeIPA installation).  If it is a freeipa
installation, then you should use the freeipa CLI for setting up
replication.

The error 32 (no such object) you are getting is because the replica
does not have an entry "cn=replication manager".  Looking at the
replication agreement:

nsDS5ReplicaBindDN: cn=replication manager

This is not a valid DN as there is no base suffix:  For example, I would
expect to see something like "cn=replication manager,cn=config"

https://access.redhat.com/documentation/en-US/Red_Hat_Direct
ory_Server/10/html/Administration_Guide/Creating_the_Supplie
r_Bind_DN_Entry.html

Regards,
Mark


Please help me fix this

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Reply via email to