Hi, Alexander! Than you very much for help. Now I able to start replica, but have one issue - schemes is not replicated:
[01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin - Warning: unable to replicate schema to host ldap2, port 389. Continuing with total update session. [01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ExampleAgreement" (ldap2:389)". [01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin - Need to create replication keep alive entry <cn=repl keep alive 7,dc=example,dc=com> [01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin - add dn: cn=repl keep alive 7,dc=example,dc=com objectclass: top objectclass: ldapsubentry objectclass: extensibleObject cn: repl keep alive 7 [01/Sep/2016:07:04:58 +0000] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ExampleAgreement" (ldap2:389)". Sent 415 entries. Can you help me with schemes? 2016-09-01 10:01 GMT+03:00 Alexander Bokovoy <[email protected]>: > On Thu, 01 Sep 2016, Andrey Rogovsky wrote: > >> Hi, Alexander! >> >> I have ldap1 - FreeIPA (master) and ldap2 - 389DS (slave) >> I want one-way replica from ldap1 to ldap2 >> On ldap1 I was define dn replication user, replica and agreement >> On ldap2 I was define replica only: >> > This is what you are doing wrong. Your ldap1 server will attempt to > connect to ldap2 server using the replication user credentials. It is > ldap2 which will be authenticating this request. Where would it take > information about the replication user? > > > filter: (objectclass=nsds5replica) >> requesting: All userApplication attributes >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=config> with scope subtree >> # filter: (objectclass=nsds5replica) >> # requesting: ALL >> # >> >> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config >> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config >> objectClass: top >> objectClass: nsds5replica >> objectClass: extensibleObject >> cn: replica >> nsDS5ReplicaRoot: dc=example,dc=com >> nsDS5ReplicaType: 2 >> nsDS5ReplicaBindDN: cn=replication manager,cn=config >> nsDS5Flags: 0 >> nsDS5ReplicaId: 65535 >> nsState:: //8AAAAAAABY2sZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== >> nsDS5ReplicaName: 06154b02-6f7e11e6-b236be05-3db8a3e8 >> nsds5ReplicaChangeCount: 0 >> nsds5replicareapactive: 0 >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> Does I need define DN replication user on ldap2? >> >> >> 2016-09-01 8:57 GMT+03:00 Alexander Bokovoy <[email protected]>: >> >> On Thu, 01 Sep 2016, Andrey Rogovsky wrote: >>> >>> Hi, Alexander! >>>> >>>> Thank for fast reply. >>>> I have replication manager object: >>>> filter: (objectclass=organizationalPerson) >>>> requesting: All userApplication attributes >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <cn=config> with scope subtree >>>> # filter: (objectclass=organizationalPerson) >>>> # requesting: ALL >>>> # >>>> >>>> # replication manager, config >>>> dn: cn=replication manager,cn=config >>>> objectClass: inetorgperson >>>> objectClass: person >>>> objectClass: top >>>> objectClass: organizationalPerson >>>> cn: replication manager >>>> sn: RM >>>> userPassword:: >>>> e1NTSEF9d281RGZOTTlCSEVWTEhxY1lTcGs0WHdjRXplemU4S280S3EwWnc9PQ= >>>> = >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> >>>> But error is present. >>>> >>>> You have two LDAP servers. If you have replication going in both >>> directions, you need to have the replication bind entry defined on both >>> servers. >>> >>> If you have replication going in one direction, then the target server >>> should have this replication bind entry defined. >>> >>> Where do you have this entry? >>> >>> >>> >>> -- >>> / Alexander Bokovoy >>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
