On 08/31/2016 12:39 PM, Andrey Rogovsky wrote: > Hi, Mark! > > Thanks for explain. Now I create replication manager: (I hope) > [root@ldap1 ~]# ldapsearch -h ldap1.example.com > <http://ldap1.example.com> -p 389 -xLLL -D "cn=directory manager" -W > -b cn=config "cn=replication manager" > Enter LDAP Password: > dn: cn=replication manager,cn=config > objectClass: inetorgperson > objectClass: person > objectClass: top > objectClass: organizationalPerson > cn: replication manager > sn: RM > userPassword:: > e1NTSEF9N1JiRmNXWTFXNDA1cmdYSUdCNWJtV3RzOElNQXBhakhXam94WlE9PQ= > = > > What is next? I use manual from 8 version and this a bit obsoleted. Now you should be able to initialize your standalone server by updating the agreement on the ipa DS:
dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify replace: nsds5beginreplicarefresh nsds5beginreplicarefresh: start If something goes wrong let us know what's in the errors log again. Mark > > > 2016-08-31 19:30 GMT+03:00 Mark Reynolds <marey...@redhat.com > <mailto:marey...@redhat.com>>: > > Hi Andrey, > > It looks like you still did not create the replication manager > entry. You must create that manager entry on the standalone > server. Please read the link I sent you: > > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html > > <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html> > > You can verify its existence by doing this search against the > standalone server: > > ldapsearch -h ldap1.example.com <http://ldap1.example.com> -p 389 > -xLLL -D "cn=directory manager" -W -b cn=config "cn=replication > manager" > > Mark > > > On 08/31/2016 11:50 AM, Andrey Rogovsky wrote: >> Hi! >> Thank you for fast reply. >> Yes, I want use standalone 389DS to replica from FreeIPA. >> There is my replica: >> filter: (objectclass=nsds5replica) >> requesting: All userApplication attributes >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=config> with scope subtree >> # filter: (objectclass=nsds5replica) >> # requesting: ALL >> # >> >> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config >> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config >> objectClass: top >> objectClass: nsds5replica >> objectClass: extensibleObject >> cn: replica >> nsDS5ReplicaRoot: dc=example,dc=com >> nsDS5ReplicaId: 7 >> nsDS5ReplicaType: 3 >> nsDS5Flags: 1 >> nsds5ReplicaPurgeDelay: 604800 >> nsDS5ReplicaBindDN: cn=replication manager,cn=config >> nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== >> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4 >> nsds5ReplicaChangeCount: 22 >> nsds5replicareapactive: 0 >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> So, my replica have entry "cn=replication manager" >> >> But I try add entry in agreement. Unforthunalty this is not help, >> error is present: >> [root@ldap1 ~]# ldapmodify -v -h ldap1.example.com >> <http://ldap1.example.com> -p 389 -D "cn=directory manager" -w ... >> ldap_initialize( ldap://ldap1.example.com:389 >> <http://ldap1.example.com:389> ) >> dn: >> cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >> tree,cn=config >> changetype: modify >> replace: nsds5ReplicaBindDN >> nsds5ReplicaBindDN: cn=replication manager,cn=config >> replace nsds5ReplicaBindDN: >> cn=replication manager,cn=config >> modifying entry >> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >> tree,cn=config" >> modify complete >> >> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors >> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - >> schema-compat-plugin tree scan will start in about 5 seconds! >> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port >> 636 for LDAPS requests >> [31/Aug/2016:11:11:09 +0000] - Listening on >> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no >> entries set up under ou=sudoers,dc=example,dc=com >> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no >> entries set up under cn=ng, cn=compat,dc=example,dc=com >> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no >> entries set up under cn=computers, cn=compat,dc=example,dc=com >> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished >> plugin initialization. >> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not >> bind id [cn=replication manager] authentication mechanism >> [SIMPLE]: error 32 (No such object) errno 0 (Success) >> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - >> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with >> SIMPLE auth failed: LDAP error 32 (No such object) () >> ^C >> [root@ldap1 ~]# ldapmodify -v -h ldap1.example.com >> <http://ldap1.example.com> -p 389 -D "cn=directory manager" -w ... >> ldap_initialize( ldap://ldap1.example.com:389 >> <http://ldap1.example.com:389> ) >> dn: >> cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >> tree,cn=config >> changetype: modify >> replace: nsds5beginreplicarefresh >> nsds5beginreplicarefresh: start >> replace nsds5beginreplicarefresh: >> start >> modifying entry >> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >> tree,cn=config" >> modify complete >> >> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors >> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port >> 636 for LDAPS requests >> [31/Aug/2016:11:11:09 +0000] - Listening on >> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no >> entries set up under ou=sudoers,dc=example,dc=com >> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no >> entries set up under cn=ng, cn=compat,dc=example,dc=com >> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no >> entries set up under cn=computers, cn=compat,dc=example,dc=com >> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished >> plugin initialization. >> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not >> bind id [cn=replication manager] authentication mechanism >> [SIMPLE]: error 32 (No such object) errno 0 (Success) >> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - >> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with >> SIMPLE auth failed: LDAP error 32 (No such object) () >> [31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not >> bind id [cn=replication manager,cn=config] authentication >> mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) >> ^C >> [root@ldap1 ~]# >> >> >> 2016-08-31 18:15 GMT+03:00 Mark Reynolds <marey...@redhat.com >> <mailto:marey...@redhat.com>>: >> >> >> >> On 08/31/2016 09:50 AM, Andrey Rogovsky wrote: >>> Hi! >>> >>> I try configure manual replica from FreeIPA DS to 389 DS. >>> I have two VM: ldap1.example.com <http://ldap1.example.com> >>> and ldap2.example.com <http://ldap2.example.com> >>> I was used this >>> manual >>> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html >>> >>> <https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html> >>> for configure relica >>> >>> There was replica agreement before starting: >>> >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=config> with scope subtree >>> # filter: (objectclass=nsds5ReplicationAgreement) >>> # requesting: ALL >>> # >>> >>> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, >>> mapping tree, config >>> dn: >>> cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping >>> tree, >>> cn=config >>> objectClass: top >>> objectClass: nsds5replicationagreement >>> cn: ExampleAgreement >>> nsDS5ReplicaHost: ldap2 >>> nsDS5ReplicaPort: 389 >>> nsDS5ReplicaBindDN: cn=replication manager >>> nsDS5ReplicaBindMethod: SIMPLE >>> nsDS5ReplicaRoot: dc=example,dc=com >>> description: agreement between supplier1 and consumer1 >>> nsDS5ReplicaUpdateSchedule: 0000-0500 1 >>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE >>> authorityRevocationLis >>> t >>> nsDS5ReplicaCredentials: >>> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG >>> >>> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ >>> >>> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQUVJckpINmE0S3RFYl >>> NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg== >>> nsds5replicareapactive: 0 >>> nsds5replicaLastUpdateStart: 19700101000000Z >>> nsds5replicaLastUpdateEnd: 19700101000000Z >>> nsds5replicaChangesSentSinceStartup: >>> nsds5replicaLastUpdateStatus: 0 No replication sessions >>> started since server s >>> tartup >>> nsds5replicaUpdateInProgress: FALSE >>> nsds5replicaLastInitStart: 19700101000000Z >>> nsds5replicaLastInitEnd: 19700101000000Z >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: >>> >>> >>> There is errors which I get when start replica: >>> >>> >>> [root@ldap1 ~]# ldapmodify -v -h ldap1.example.com >>> <http://ldap1.example.com> -p 389 -D "cn=directory manager" >>> -w ... >>> ldap_initialize( ldap://ldap1.example.com:389 >>> <http://ldap1.example.com:389> ) >>> dn: >>> cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >>> tree,cn=config >>> changetype: modify >>> replace: nsds5beginreplicarefresh >>> nsds5beginreplicarefresh: start >>> replace nsds5beginreplicarefresh: >>> start >>> modifying entry >>> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >>> tree,cn=config" >>> modify complete >>> >>> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors >>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - >>> schema-compat-plugin tree scan will start in about 5 seconds! >>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on >>> All Interfaces port 389 for LDAP requests >>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces >>> port 636 for LDAPS requests >>> [31/Aug/2016:11:11:09 +0000] - Listening on >>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: >>> no entries set up under ou=sudoers,dc=example,dc=com >>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: >>> no entries set up under cn=ng, cn=compat,dc=example,dc=com >>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: >>> no entries set up under cn=computers, >>> cn=compat,dc=example,dc=com >>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished >>> plugin initialization. >>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could >>> not bind id [cn=replication manager] authentication >>> mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) >>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - >>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind >>> with SIMPLE auth failed: LDAP error 32 (No such object) () >>> ^C >> I'm assuming this is just a standalone 389 Directory Server >> you are trying to replicate to(not a freeIPA installation). >> If it is a freeipa installation, then you should use the >> freeipa CLI for setting up replication. >> >> The error 32 (no such object) you are getting is because the >> replica does not have an entry "cn=replication manager". >> Looking at the replication agreement: >> >> nsDS5ReplicaBindDN: cn=replication manager >> >> This is not a valid DN as there is no base suffix: For >> example, I would expect to see something like "cn=replication >> manager,cn=config" >> >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html >> >> <https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html> >> >> Regards, >> Mark >>> >>> Please help me fix this >>> >>> >>> >>> >> >> >> >> > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project