Hi, Alexander! Thank for fast reply. I have replication manager object: filter: (objectclass=organizationalPerson) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=organizationalPerson) # requesting: ALL #
# replication manager, config dn: cn=replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top objectClass: organizationalPerson cn: replication manager sn: RM userPassword:: e1NTSEF9d281RGZOTTlCSEVWTEhxY1lTcGs0WHdjRXplemU4S280S3EwWnc9PQ= = # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 But error is present. 2016-09-01 7:14 GMT+03:00 Alexander Bokovoy <aboko...@redhat.com>: > On Thu, 01 Sep 2016, Andrey Rogovsky wrote: > >> Hi! >> Thanks for your advices! >> I'm try start replica and get this errors in log: >> [01/Sep/2016:03:24:23 +0000] slapi_ldap_bind - Error: could not bind id >> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: >> error >> 32 (No such object) errno 0 (Success) >> [01/Sep/2016:03:24:23 +0000] NSMMReplicationPlugin - >> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth >> failed: LDAP error 32 (No such object) () >> > You've been told already that you should have replication manager object > created at both sides. Your 'cn=replicaton manager,cn=config' does not > exist at the replica. > > You should read RHDS Administration Guide, at least the part about > supplier bind DN entry, but preferrably the whole chapter it is part of: > https://access.redhat.com/documentation/en-US/Red_Hat_Direct > ory_Server/10/html/Administration_Guide/Creating_the_ > Supplier_Bind_DN_Entry.html > > > > >> This is my current replica: >> filter: (objectclass=nsds5replica) >> requesting: All userApplication attributes >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=config> with scope subtree >> # filter: (objectclass=nsds5replica) >> # requesting: ALL >> # >> >> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config >> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config >> objectClass: top >> objectClass: nsds5replica >> objectClass: extensibleObject >> cn: replica >> nsDS5ReplicaRoot: dc=example,dc=com >> nsDS5ReplicaId: 7 >> nsDS5ReplicaType: 3 >> nsDS5Flags: 1 >> nsds5ReplicaPurgeDelay: 604800 >> nsDS5ReplicaBindDN: cn=replication manager,cn=config >> nsState:: BwAAAAAAAADqnMdXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== >> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4 >> nsds5ReplicaChangeCount: 118 >> nsds5replicareapactive: 0 >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> This is my current agreement: >> >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=config> with scope subtree >> # filter: (objectclass=nsds5ReplicationAgreement) >> # requesting: ALL >> # >> >> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config >> dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping >> tree, >> cn=config >> objectClass: top >> objectClass: nsds5replicationagreement >> cn: ExampleAgreement >> nsDS5ReplicaHost: ldap2 >> nsDS5ReplicaPort: 389 >> nsDS5ReplicaBindDN: cn=replication manager,cn=config >> nsDS5ReplicaBindMethod: SIMPLE >> nsDS5ReplicaRoot: dc=example,dc=com >> description: agreement between supplier1 and consumer1 >> nsDS5ReplicaUpdateSchedule: 0000-0500 1 >> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE >> authorityRevocationLis >> t >> nsDS5ReplicaCredentials: >> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG >> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkw >> ek5qRmxNalkxWkFBQ >> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ >> U1Dc25vTkVzZVJ4b3 >> N2WVlEMXRpbQ==}a21h3uqnbcAZ1cX+NheCeg== >> nsds5replicareapactive: 0 >> nsds5replicaLastUpdateStart: 19700101000000Z >> nsds5replicaLastUpdateEnd: 19700101000000Z >> nsds5replicaChangesSentSinceStartup: >> nsds5replicaLastUpdateStatus: 0 No replication sessions started since >> server s >> tartup >> nsds5replicaUpdateInProgress: FALSE >> nsds5replicaLastInitStart: 20160901032423Z >> nsds5replicaLastInitEnd: 19700101000000Z >> nsds5replicaLastInitStatus: 32 - LDAP error: No such object >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> I'm try delete agreement, replica, user, changelog and create again. This >> not help, same error: >> >> [01/Sep/2016:03:42:37 +0000] NSMMReplicationPlugin - agmt_delete: begin >> [01/Sep/2016:03:45:35 +0000] NSMMReplicationPlugin - >> replica_config_delete: >> Warning: The changelog for replica dc=example,dc=com is no longer valid >> since the replica config is being deleted. Removing the changelog. >> [01/Sep/2016:03:53:18 +0000] slapi_ldap_bind - Error: could not bind id >> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: >> error >> 32 (No such object) errno 0 (Success) >> [01/Sep/2016:03:53:18 +0000] NSMMReplicationPlugin - >> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth >> failed: LDAP error 32 (No such object) () >> >> >> >> 2016-08-31 20:09 GMT+03:00 Mark Reynolds <marey...@redhat.com>: >> >> >>> >>> On 08/31/2016 12:39 PM, Andrey Rogovsky wrote: >>> >>> Hi, Mark! >>> >>> Thanks for explain. Now I create replication manager: (I hope) >>> [root@ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D >>> "cn=directory manager" -W -b cn=config "cn=replication manager" >>> Enter LDAP Password: >>> dn: cn=replication manager,cn=config >>> objectClass: inetorgperson >>> objectClass: person >>> objectClass: top >>> objectClass: organizationalPerson >>> cn: replication manager >>> sn: RM >>> userPassword:: e1NTSEF9N1JiRmNXWTFXNDA1cmdYSU >>> dCNWJtV3RzOElNQXBhakhXam94WlE9PQ= >>> = >>> >>> What is next? I use manual from 8 version and this a bit obsoleted. >>> >>> Now you should be able to initialize your standalone server by updating >>> the agreement on the ipa DS: >>> >>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >>> tree,cn=config >>> changetype: modify >>> replace: nsds5beginreplicarefresh >>> nsds5beginreplicarefresh: start >>> >>> If something goes wrong let us know what's in the errors log again. >>> >>> Mark >>> >>> >>> >>> 2016-08-31 19:30 GMT+03:00 Mark Reynolds <marey...@redhat.com>: >>> >>> Hi Andrey, >>>> >>>> It looks like you still did not create the replication manager entry. >>>> You must create that manager entry on the standalone server. Please >>>> read >>>> the link I sent you: >>>> >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct >>>> ory_Server/10/html/Administration_Guide/Creating_the_Supplie >>>> r_Bind_DN_Entry.html >>>> >>>> You can verify its existence by doing this search against the standalone >>>> server: >>>> >>>> ldapsearch -h ldap1.example.com -p 389 -xLLL -D "cn=directory manager" >>>> -W -b cn=config "cn=replication manager" >>>> >>>> Mark >>>> >>>> >>>> On 08/31/2016 11:50 AM, Andrey Rogovsky wrote: >>>> >>>> Hi! >>>> Thank you for fast reply. >>>> Yes, I want use standalone 389DS to replica from FreeIPA. >>>> There is my replica: >>>> filter: (objectclass=nsds5replica) >>>> requesting: All userApplication attributes >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <cn=config> with scope subtree >>>> # filter: (objectclass=nsds5replica) >>>> # requesting: ALL >>>> # >>>> >>>> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config >>>> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config >>>> objectClass: top >>>> objectClass: nsds5replica >>>> objectClass: extensibleObject >>>> cn: replica >>>> nsDS5ReplicaRoot: dc=example,dc=com >>>> nsDS5ReplicaId: 7 >>>> nsDS5ReplicaType: 3 >>>> nsDS5Flags: 1 >>>> nsds5ReplicaPurgeDelay: 604800 >>>> nsDS5ReplicaBindDN: cn=replication manager,cn=config >>>> nsState:: BwAAAAAAAABZ98ZXAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== >>>> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4 >>>> nsds5ReplicaChangeCount: 22 >>>> nsds5replicareapactive: 0 >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> >>>> So, my replica have entry "cn=replication manager" >>>> >>>> But I try add entry in agreement. Unforthunalty this is not help, error >>>> is present: >>>> [root@ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D >>>> "cn=directory manager" -w ... >>>> ldap_initialize( ldap://ldap1.example.com:389 ) >>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >>>> tree,cn=config >>>> changetype: modify >>>> replace: nsds5ReplicaBindDN >>>> nsds5ReplicaBindDN: cn=replication manager,cn=config >>>> replace nsds5ReplicaBindDN: >>>> cn=replication manager,cn=config >>>> modifying entry "cn=ExampleAgreement,cn=replic >>>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config" >>>> modify complete >>>> >>>> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors >>>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - schema-compat-plugin >>>> tree scan will start in about 5 seconds! >>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for >>>> LDAPS requests >>>> [31/Aug/2016:11:11:09 +0000] - Listening on >>>> /var/run/slapd-EXAMPLE-COM.socket >>>> for LDAPI requests >>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries >>>> set up under ou=sudoers,dc=example,dc=com >>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries >>>> set up under cn=ng, cn=compat,dc=example,dc=com >>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries >>>> set up under cn=computers, cn=compat,dc=example,dc=com >>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin >>>> initialization. >>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id >>>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No >>>> such object) errno 0 (Success) >>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - >>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE >>>> auth >>>> failed: LDAP error 32 (No such object) () >>>> ^C >>>> [root@ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D >>>> "cn=directory manager" -w ... >>>> ldap_initialize( ldap://ldap1.example.com:389 ) >>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >>>> tree,cn=config >>>> changetype: modify >>>> replace: nsds5beginreplicarefresh >>>> nsds5beginreplicarefresh: start >>>> replace nsds5beginreplicarefresh: >>>> start >>>> modifying entry "cn=ExampleAgreement,cn=replic >>>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config" >>>> modify complete >>>> >>>> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors >>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for >>>> LDAPS requests >>>> [31/Aug/2016:11:11:09 +0000] - Listening on >>>> /var/run/slapd-EXAMPLE-COM.socket >>>> for LDAPI requests >>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries >>>> set up under ou=sudoers,dc=example,dc=com >>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries >>>> set up under cn=ng, cn=compat,dc=example,dc=com >>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries >>>> set up under cn=computers, cn=compat,dc=example,dc=com >>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin >>>> initialization. >>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id >>>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No >>>> such object) errno 0 (Success) >>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - >>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE >>>> auth >>>> failed: LDAP error 32 (No such object) () >>>> [31/Aug/2016:15:48:36 +0000] slapi_ldap_bind - Error: could not bind id >>>> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: >>>> error >>>> 32 (No such object) errno 0 (Success) >>>> ^C >>>> [root@ldap1 ~]# >>>> >>>> >>>> 2016-08-31 18:15 GMT+03:00 Mark Reynolds <marey...@redhat.com>: >>>> >>>> >>>>> >>>>> On 08/31/2016 09:50 AM, Andrey Rogovsky wrote: >>>>> >>>>> Hi! >>>>> >>>>> I try configure manual replica from FreeIPA DS to 389 DS. >>>>> I have two VM: ldap1.example.com and ldap2.example.com >>>>> I was used this manual https://www.centos.org/ >>>>> docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Repl >>>>> ication-cmd.html for configure relica >>>>> >>>>> There was replica agreement before starting: >>>>> >>>>> # extended LDIF >>>>> # >>>>> # LDAPv3 >>>>> # base <cn=config> with scope subtree >>>>> # filter: (objectclass=nsds5ReplicationAgreement) >>>>> # requesting: ALL >>>>> # >>>>> >>>>> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, >>>>> config >>>>> dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom, >>>>> cn=mapping >>>>> tree, >>>>> cn=config >>>>> objectClass: top >>>>> objectClass: nsds5replicationagreement >>>>> cn: ExampleAgreement >>>>> nsDS5ReplicaHost: ldap2 >>>>> nsDS5ReplicaPort: 389 >>>>> nsDS5ReplicaBindDN: cn=replication manager >>>>> nsDS5ReplicaBindMethod: SIMPLE >>>>> nsDS5ReplicaRoot: dc=example,dc=com >>>>> description: agreement between supplier1 and consumer1 >>>>> nsDS5ReplicaUpdateSchedule: 0000-0500 1 >>>>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE >>>>> authorityRevocationLis >>>>> t >>>>> nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQ >>>>> m1NRVVHQ1NxR1NJYjNEUUVG >>>>> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmk >>>>> wek5qRmxNalkxWkFBQ >>>>> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJC >>>>> QUVJckpINmE0S3RFYl >>>>> NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg== >>>>> nsds5replicareapactive: 0 >>>>> nsds5replicaLastUpdateStart: 19700101000000Z >>>>> nsds5replicaLastUpdateEnd: 19700101000000Z >>>>> nsds5replicaChangesSentSinceStartup: >>>>> nsds5replicaLastUpdateStatus: 0 No replication sessions started since >>>>> server s >>>>> tartup >>>>> nsds5replicaUpdateInProgress: FALSE >>>>> nsds5replicaLastInitStart: 19700101000000Z >>>>> nsds5replicaLastInitEnd: 19700101000000Z >>>>> >>>>> # search result >>>>> search: 2 >>>>> result: 0 Success >>>>> >>>>> # numResponses: 2 >>>>> # numEntries: >>>>> >>>>> >>>>> There is errors which I get when start replica: >>>>> >>>>> >>>>> [root@ldap1 ~]# ldapmodify -v -h ldap1.example.com -p 389 -D >>>>> "cn=directory manager" -w ... >>>>> ldap_initialize( ldap://ldap1.example.com:389 ) >>>>> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping >>>>> tree,cn=config >>>>> changetype: modify >>>>> replace: nsds5beginreplicarefresh >>>>> nsds5beginreplicarefresh: start >>>>> replace nsds5beginreplicarefresh: >>>>> start >>>>> modifying entry "cn=ExampleAgreement,cn=replic >>>>> a,cn="dc=example,dc=com",cn=mapping tree,cn=config" >>>>> modify complete >>>>> >>>>> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors >>>>> [31/Aug/2016:11:11:09 +0000] schema-compat-plugin - >>>>> schema-compat-plugin >>>>> tree scan will start in about 5 seconds! >>>>> [31/Aug/2016:11:11:09 +0000] - slapd started. Listening on All >>>>> Interfaces port 389 for LDAP requests >>>>> [31/Aug/2016:11:11:09 +0000] - Listening on All Interfaces port 636 for >>>>> LDAPS requests >>>>> [31/Aug/2016:11:11:09 +0000] - Listening on >>>>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests >>>>> [31/Aug/2016:11:11:13 +0000] schema-compat-plugin - warning: no entries >>>>> set up under ou=sudoers,dc=example,dc=com >>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries >>>>> set up under cn=ng, cn=compat,dc=example,dc=com >>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - warning: no entries >>>>> set up under cn=computers, cn=compat,dc=example,dc=com >>>>> [31/Aug/2016:11:11:14 +0000] schema-compat-plugin - Finished plugin >>>>> initialization. >>>>> [31/Aug/2016:13:38:01 +0000] slapi_ldap_bind - Error: could not bind id >>>>> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 >>>>> (No >>>>> such object) errno 0 (Success) >>>>> [31/Aug/2016:13:38:01 +0000] NSMMReplicationPlugin - >>>>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE >>>>> auth >>>>> failed: LDAP error 32 (No such object) () >>>>> ^C >>>>> >>>>> I'm assuming this is just a standalone 389 Directory Server you are >>>>> trying to replicate to(not a freeIPA installation). If it is a freeipa >>>>> installation, then you should use the freeipa CLI for setting up >>>>> replication. >>>>> >>>>> The error 32 (no such object) you are getting is because the replica >>>>> does not have an entry "cn=replication manager". Looking at the >>>>> replication agreement: >>>>> >>>>> nsDS5ReplicaBindDN: cn=replication manager >>>>> >>>>> This is not a valid DN as there is no base suffix: For example, I >>>>> would >>>>> expect to see something like "cn=replication manager,cn=config" >>>>> >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct >>>>> ory_Server/10/html/Administration_Guide/Creating_the_Supplie >>>>> r_Bind_DN_Entry.html >>>>> >>>>> Regards, >>>>> Mark >>>>> >>>>> >>>>> Please help me fix this >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project