even when enabling replication logging, I get nothing useful in logs:

[12/Feb/2016:14:57:00 +0100] NSMMReplicationPlugin - 
agmt="cn=meToidm02.tcpcloud.eu" (idm02:389): Trying secure startTLS 
[12/Feb/2016:14:57:00 +0100] NSMMReplicationPlugin - 
agmt="cn=meToidm02.tcpcloud.eu" (idm02:389): binddn = cn=replication 
manager,cn=config,  passwd = {AES-some_encrypted_password
[12/Feb/2016:14:57:01 +0100] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[12/Feb/2016:14:57:01 +0100] NSMMReplicationPlugin - 
agmt="cn=meToidm02.tcpcloud.eu" (idm02:389): Replication bind with SIMPLE auth 
failed: LDAP error -11 (Connect error) ((unknown error code))
[12/Feb/2016:14:57:01 +0100] NSMMReplicationPlugin - 
agmt="cn=meToidm02.tcpcloud.eu" (idm02:389): Disconnected from the consumer

But I can bind just fine manually:

ldapsearch -D "cn=replication manager,cn=config" -w some_password -b cn=config 
-h idm02 -ZZ

I am starting to be clueless, nobody has an idea what could be wrong?

- DNS including PTR records are set up fine
- /etc/hosts is setup fine
- conncheck passes fine between nodes
- I can bind manually just fine

On 2016/02/08 18:05, Filip Pytloun wrote:
> Hello,
> I have a weird issue setting up FreeIPA replica. Conncheck passes fine
> but at the end of ipa-replica-install I always get following error:
> slapi_ldap_bind -Error: could not send startTLS request: error -11
> (Connect error) errno 0 (Success)
> on both master and replica without any further explanation in logs.
> /etc/ldap.conf is correctly setup before ipa-replica-install and IPA CA
> certificate is installed in system CA bundle so TLS should work just
> fine.
> Also I can manually connect just fine from replica to master and back so
> it's not a network or LDAP client issue.
> Replica agreement looks like this: http://pastebin.com/FT3p3KUk
> freeipa-server 4.1.4
> 389-ds
> Has anyone idea where to look at?
> Filip

Attachment: signature.asc
Description: Digital signature

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to