On 01/31/2014 01:55 PM, Todd Maugh wrote:



[r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W
Enter LDAP Password:
dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: IDM ADMIN
givenName: IDMADMIN
distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
instanceType: 4
whenCreated: 20140128182537.0Z
whenChanged: 20140131014315.0Z
displayName: IDMADMIN
uSNCreated: 31968
memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local
memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local
uSNChanged: 38786
name: IDM ADMIN
objectGUID:: jai63JfDvUuOGcURntA7hg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130356008006093750
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA0+/GU55mz3h0hQ48RwYAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: idmadmin
sAMAccountType: 805306368
userPrincipalName: idmadmin@boingoqa.local
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local
dSCorePropagationData: 20140129224024.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130356060672110578

I'd like to look at the debug output, so try this:

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn

The 389 errors log indicates "cannot connect" which usually means some sort of SSL error. Unfortunately the logging leaves something to be desired in the way of information necessary to diagnose and fix the problem.

If that doesn't help, let's take a look at your winsync agreement configuration:

ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsdswindowsreplicationagreement' dn



------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Friday, January 31, 2014 12:39 PM
*To:* Todd Maugh; d...@redhat.com
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] cant create winsync reolication

On 01/31/2014 12:16 PM, Todd Maugh wrote:
RE:

I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication.

here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement

Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this:

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W




[31/Jan/2014:19:07:37 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:57 +0000] NSMMReplicationPlugin - agmt_delete: begin
[31/Jan/2014:19:14:09 +0000] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +0000] - slapd shutting down - waiting for 30 threads to terminate [31/Jan/2014:19:14:09 +0000] - slapd shutting down - closing down internal subsystems and plugins
[31/Jan/2014:19:14:09 +0000] - Waiting for 4 database threads to stop
[31/Jan/2014:19:14:09 +0000] - All database threads now stopped
[31/Jan/2014:19:14:09 +0000] - slapd stopped.
[31/Jan/2014:19:14:12 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=boingo,dc=com [31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:14:12 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/se-idm-01.boingo....@boingo.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:14:12 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [31/Jan/2014:19:14:12 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [31/Jan/2014:19:14:12 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [31/Jan/2014:19:14:12 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Jan/2014:19:14:12 +0000] - Listening on All Interfaces port 636 for LDAPS requests [31/Jan/2014:19:14:12 +0000] - Listening on /var/run/slapd-BOINGO-COM.socket for LDAPI requests [31/Jan/2014:19:14:16 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth resumed [31/Jan/2014:19:15:18 +0000] - slapd shutting down - signaling operation threads [31/Jan/2014:19:15:18 +0000] - slapd shutting down - waiting for 30 threads to terminate [31/Jan/2014:19:15:18 +0000] - slapd shutting down - closing down internal subsystems and plugins
[31/Jan/2014:19:15:18 +0000] - Waiting for 4 database threads to stop
[31/Jan/2014:19:15:18 +0000] - All database threads now stopped
[31/Jan/2014:19:15:18 +0000] - slapd stopped.
[31/Jan/2014:19:15:23 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=boingo,dc=com [31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:15:23 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/se-idm-01.boingo....@boingo.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:15:23 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [31/Jan/2014:19:15:23 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [31/Jan/2014:19:15:23 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [31/Jan/2014:19:15:23 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Jan/2014:19:15:23 +0000] - Listening on All Interfaces port 636 for LDAPS requests [31/Jan/2014:19:15:23 +0000] - Listening on /var/run/slapd-BOINGO-COM.socket for LDAPI requests [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:25 +0000] NSMMReplicationPlugin - agmt="cn=meToqatestdc2.boingoqa.local" (qatestdc2:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's Certificate issuer is not recognized.) [31/Jan/2014:19:15:25 +0000] - Entry "cn=meToqatestdc2.boingoqa.local,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mapping tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not allowed [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:26 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth resumed [31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:28 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:30 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to