Hi Andrey, It looks like you still did not create the replication manager entry. You must create that manager entry on the standalone server. Please read the link I sent you:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html> You can verify its existence by doing this search against the standalone server: ldapsearch -h ldap1.example.com <http://ldap1.example.com> -p 389 -xLLL -D "cn=directory manager" -W -b cn=config "cn=replication manager" Mark On 08/31/2016 11:50 AM, Andrey Rogovsky wrote: > Hi! > Thank you for fast reply. > Yes, I want use standalone 389DS to replica from FreeIPA. > There is my replica: > filter: (objectclass=nsds5replica) > requesting: All userApplication attributes > # extended LDIF > # > # LDAPv3 > # base <cn=config> with scope subtree > # filter: (objectclass=nsds5replica) > # requesting: ALL > # > > # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config > dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > objectClass: top > objectClass: nsds5replica > objectClass: extensibleObject > cn: replica > nsDS5ReplicaRoot: dc=example,dc=com > nsDS5ReplicaId: 7 > nsDS5ReplicaType: 3 > nsDS5Flags: 1 > nsds5ReplicaPurgeDelay: 604800 > nsDS5ReplicaBindDN: cn=replication manager,cn=config > nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== > nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4 > nsds5ReplicaChangeCount: 22 > nsds5replicareapactive: 0 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > So, my replica have entry "cn=replication manager" > > But I try add entry in agreement. Unforthunalty this is not help, > error is present: > [root@ldap1 ~]# ldapmodify -v -h ldap1.example.com > <http://ldap1.example.com> -p 389 -D "cn=directory manager" -w ... > ldap_initialize( ldap://ldap1.example.com:389 > <http://ldap1.example.com:389> ) > dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping > tree,cn=config > changetype: modify > replace: nsds5ReplicaBindDN > nsds5ReplicaBindDN: cn=replication manager,cn=config > replace nsds5ReplicaBindDN: > cn=replication manager,cn=config > modifying entry > "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping > tree,cn=config" > modify complete > > [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors > [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - > schema-compat-plugin tree scan will start in about 5 seconds! > [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 > for LDAPS requests > [31/Aug/2016:11:11:09 +0000] - Listening on > /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests > [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no > entries set up under ou=sudoers,dc=example,dc=com > [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no > entries set up under cn=ng, cn=compat,dc=example,dc=com > [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no > entries set up under cn=computers, cn=compat,dc=example,dc=com > [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin > initialization. > [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind > id [cn=replication manager] authentication mechanism [SIMPLE]: error > 32 (No such object) errno 0 (Success) > [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - > agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE > auth failed: LDAP error 32 (No such object) () > ^C > [root@ldap1 ~]# ldapmodify -v -h ldap1.example.com > <http://ldap1.example.com> -p 389 -D "cn=directory manager" -w ... > ldap_initialize( ldap://ldap1.example.com:389 > <http://ldap1.example.com:389> ) > dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping > tree,cn=config > changetype: modify > replace: nsds5beginreplicarefresh > nsds5beginreplicarefresh: start > replace nsds5beginreplicarefresh: > start > modifying entry > "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping > tree,cn=config" > modify complete > > [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors > [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 > for LDAPS requests > [31/Aug/2016:11:11:09 +0000] - Listening on > /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests > [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no > entries set up under ou=sudoers,dc=example,dc=com > [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no > entries set up under cn=ng, cn=compat,dc=example,dc=com > [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no > entries set up under cn=computers, cn=compat,dc=example,dc=com > [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin > initialization. > [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind > id [cn=replication manager] authentication mechanism [SIMPLE]: error > 32 (No such object) errno 0 (Success) > [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - > agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE > auth failed: LDAP error 32 (No such object) () > [31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not bind > id [cn=replication manager,cn=config] authentication mechanism > [SIMPLE]: error 32 (No such object) errno 0 (Success) > ^C > [root@ldap1 ~]# > > > 2016-08-31 18:15 GMT+03:00 Mark Reynolds <[email protected] > <mailto:[email protected]>>: > > > > On 08/31/2016 09:50 AM, Andrey Rogovsky wrote: >> Hi! >> >> I try configure manual replica from FreeIPA DS to 389 DS. >> I have two VM: ldap1.example.com <http://ldap1.example.com> and >> ldap2.example.com <http://ldap2.example.com> >> I was used this >> manual >> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html >> >> <https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html> >> for configure relica >> >> There was replica agreement before starting: >> >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=config> with scope subtree >> # filter: (objectclass=nsds5ReplicationAgreement) >> # requesting: ALL >> # >> >> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping >> tree, config >> dn: >> cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping >> tree, >> cn=config >> objectClass: top >> objectClass: nsds5replicationagreement >> cn: ExampleAgreement >> nsDS5ReplicaHost: ldap2 >> nsDS5ReplicaPort: 389 >> nsDS5ReplicaBindDN: cn=replication manager >> nsDS5ReplicaBindMethod: SIMPLE >> nsDS5ReplicaRoot: dc=example,dc=com >> description: agreement between supplier1 and consumer1 >> nsDS5ReplicaUpdateSchedule: 0000-0500 1 >> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE >> authorityRevocationLis >> t >> nsDS5ReplicaCredentials: >> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG >> >> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ >> >> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQUVJckpINmE0S3RFYl >> NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg== >> nsds5replicareapactive: 0 >> nsds5replicaLastUpdateStart: 19700101000000Z >> nsds5replicaLastUpdateEnd: 19700101000000Z >> nsds5replicaChangesSentSinceStartup: >> nsds5replicaLastUpdateStatus: 0 No replication sessions started >> since server s >> tartup >> nsds5replicaUpdateInProgress: FALSE >> nsds5replicaLastInitStart: 19700101000000Z >> nsds5replicaLastInitEnd: 19700101000000Z >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: >> >> >> There is errors which I get when start replica: >> >> >> [root@ldap1 ~]# ldapmodify -v -h ldap1.example.com >> <http://ldap1.example.com> -p 389 -D "cn=directory manager" -w ... >> ldap_initialize( ldap://ldap1.example.com:389 >> <http://ldap1.example.com:389> ) >> dn: >> cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >> tree,cn=config >> changetype: modify >> replace: nsds5beginreplicarefresh >> nsds5beginreplicarefresh: start >> replace nsds5beginreplicarefresh: >> start >> modifying entry >> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >> tree,cn=config" >> modify complete >> >> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors >> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - >> schema-compat-plugin tree scan will start in about 5 seconds! >> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port >> 636 for LDAPS requests >> [31/Aug/2016:11:11:09 +0000] - Listening on >> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no >> entries set up under ou=sudoers,dc=example,dc=com >> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no >> entries set up under cn=ng, cn=compat,dc=example,dc=com >> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no >> entries set up under cn=computers, cn=compat,dc=example,dc=com >> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished >> plugin initialization. >> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not >> bind id [cn=replication manager] authentication mechanism >> [SIMPLE]: error 32 (No such object) errno 0 (Success) >> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - >> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with >> SIMPLE auth failed: LDAP error 32 (No such object) () >> ^C > I'm assuming this is just a standalone 389 Directory Server you > are trying to replicate to(not a freeIPA installation). If it is > a freeipa installation, then you should use the freeipa CLI for > setting up replication. > > The error 32 (no such object) you are getting is because the > replica does not have an entry "cn=replication manager". Looking > at the replication agreement: > > nsDS5ReplicaBindDN: cn=replication manager > > This is not a valid DN as there is no base suffix: For example, I > would expect to see something like "cn=replication manager,cn=config" > > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html > > <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html> > > Regards, > Mark >> >> Please help me fix this >> >> >> >> > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
