ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsds5replicationagreement' ________________________________ From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 1:30 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication
On 01/31/2014 02:14 PM, Todd Maugh wrote: I used the IPA directory manager password and got no output [r...@se-idm-01.boingo.com<mailto:r...@se-idm-01.boingo.com> cacerts]$ ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: Very strange. Try this: ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsds5replicationagreement' ________________________________ From: Todd Maugh Sent: Friday, January 31, 2014 1:11 PM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: RE: [Freeipa-users] cant create winsync reolication For the second Command I do not have an account called directory manager, so I do not have a password ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ldap_bind: Invalid credentials (49) ________________________________ From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Friday, January 31, 2014 12:55 PM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] cant create winsync reolication [r...@se-idm-01.boingo.com<mailto:r...@se-idm-01.boingo.com> cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local<UrlBlockedError.aspx> -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAA0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local<mailto:idmadmin@boingoqa.local> lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130356060672110578 ________________________________ From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local<UrlBlockedError.aspx> -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W [31/Jan/2014:19:07:37 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +0000] NSMMReplicationPlugin - agmt_delete: begin [31/Jan/2014:19:14:09 +0000] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +0000] - slapd shutting down - waiting for 30 threads to terminate [31/Jan/2014:19:14:09 +0000] - slapd shutting down - closing down internal subsystems and plugins [31/Jan/2014:19:14:09 +0000] - Waiting for 4 database threads to stop [31/Jan/2014:19:14:09 +0000] - All database threads now stopped [31/Jan/2014:19:14:09 +0000] - slapd stopped. [31/Jan/2014:19:14:12 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=boingo,dc=com [31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:14:12 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/se-idm-01.boingo....@boingo.com<mailto:ldap/se-idm-01.boingo....@boingo.com>] in keytab [FILE:/etc/dirsrv/ds.keytab<UrlBlockedError.aspx>]: -1765328324 (Generic error (see e-text)) [31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:14:12 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [31/Jan/2014:19:14:12 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [31/Jan/2014:19:14:12 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [31/Jan/2014:19:14:12 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Jan/2014:19:14:12 +0000] - Listening on All Interfaces port 636 for LDAPS requests [31/Jan/2014:19:14:12 +0000] - Listening on /var/run/slapd-BOINGO-COM.socket for LDAPI requests [31/Jan/2014:19:14:16 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth resumed [31/Jan/2014:19:15:18 +0000] - slapd shutting down - signaling operation threads [31/Jan/2014:19:15:18 +0000] - slapd shutting down - waiting for 30 threads to terminate [31/Jan/2014:19:15:18 +0000] - slapd shutting down - closing down internal subsystems and plugins [31/Jan/2014:19:15:18 +0000] - Waiting for 4 database threads to stop [31/Jan/2014:19:15:18 +0000] - All database threads now stopped [31/Jan/2014:19:15:18 +0000] - slapd stopped. [31/Jan/2014:19:15:23 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=boingo,dc=com [31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:15:23 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/se-idm-01.boingo....@boingo.com<mailto:ldap/se-idm-01.boingo....@boingo.com>] in keytab [FILE:/etc/dirsrv/ds.keytab<UrlBlockedError.aspx>]: -1765328324 (Generic error (see e-text)) [31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:15:23 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [31/Jan/2014:19:15:23 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [31/Jan/2014:19:15:23 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [31/Jan/2014:19:15:23 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Jan/2014:19:15:23 +0000] - Listening on All Interfaces port 636 for LDAPS requests [31/Jan/2014:19:15:23 +0000] - Listening on /var/run/slapd-BOINGO-COM.socket for LDAPI requests [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:25 +0000] NSMMReplicationPlugin - agmt="cn=meToqatestdc2.boingoqa.local" (qatestdc2:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's Certificate issuer is not recognized.) [31/Jan/2014:19:15:25 +0000] - Entry "cn=meToqatestdc2.boingoqa.local,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mapping tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not allowed [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:26 +0000] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth resumed [31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:28 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:15:30 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users