On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote:
[root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
"cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
supersecretpassword --passsync supersecretpassword --cacert
/etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate
database for ipadc1.ipadomain.net
ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
Windows PassSync system account exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . .
.
ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP
error: Connect error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

[ipadc1.ipadomain.net] reports: Update failed! Status: [-11  - LDAP
error:
Connect error]
Have you tried using ldapsearch to verify the connection?

# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h
addc2.test.mycompany.net -D "cn=ad
sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
"supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
"objectclass=*"

and/or

# LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer  ldapsearch -xLLL
-ZZ -h addc2.test.mycompany.net -D "cn=ad
sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
"supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
"objectclass=*"

Both commands give the same successful result.  I don't think it's a
problem with the credentials because I was able to generate different
error messages during the attempted sync setup if I intentionally gave a
bad password or username.

Ok.  Have you tried enabling the replication log level?

http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting

Here is what happens when I run the above
commands :

[root@ipadc1 cacerts]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM
ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D "cn=ad
sync,cn=Users,dc=test,dc=mycompany,dc=net" -w "supersecretpassword" -s
base -b "cn=Users,dc=test,dc=mycompany,dc=net" "objectclass=*"
dn: cn=Users,dc=test,dc=mycompany,dc=net
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=test,DC=mycompany,DC=net
instanceType: 4
whenCreated: 20150515024307.0Z
whenChanged: 20150515024307.0Z
uSNCreated: 5696
uSNChanged: 5696
showInAdvancedViewOnly: FALSE
name: Users
objectGUID:: V9KaoufynkWbJpSo2PjxiA==
systemFlags: -1946157056
objectCategory:
CN=Container,CN=Schema,CN=Configuration,DC=test,DC=mycompany,DC=net
isCriticalSystemObject: TRUE
dSCorePropagationData: 20150515025646.0Z
dSCorePropagationData: 16010101000001.0Z

[root@ipadc1 cacerts]# LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer
ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D "cn=ad
sync,cn=Users,dc=test,dc=mycompany,dc=net" -w "supersecretpassword" -s
base -b "cn=Users,dc=test,dc=mycompany,dc=net" "objectclass=*"
dn: cn=Users,dc=test,dc=mycompany,dc=net
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=test,DC=mycompany,DC=net
instanceType: 4
whenCreated: 20150515024307.0Z
whenChanged: 20150515024307.0Z
uSNCreated: 5696
uSNChanged: 5696
showInAdvancedViewOnly: FALSE
name: Users
objectGUID:: V9KaoufynkWbJpSo2PjxiA==
systemFlags: -1946157056
objectCategory:
CN=Container,CN=Schema,CN=Configuration,DC=test,DC=mycompany,DC=net
isCriticalSystemObject: TRUE
dSCorePropagationData: 20150515025646.0Z
dSCorePropagationData: 16010101000001.0Z



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to