Hi guys,

our current setup consists of 3 replicated free-ipa servers in a master-master configuration. What we are currently trying to do, is to add a standalone 389-ds on our mailserver which should only readonly-replicate cn=accounts,dc=ipa,dc=example,dc=com to enable our mailserver to have a local ldap cache (for alias/mailbox mapping in postfix/dovecot) and to be able to add a local ldap-addressbook to our mailserver without the need to have it on our ipa-servers.

Our environment is:

3 free-ipa servers
(centos7, 389-ds-base.x86_64

1 Mailserver
(debian stretch, 389-ds

What we did do:

Basically following this guide:

on consumer (our mailserver):
...first we created the missing root (cn=accounts,dc=ipa,dc=example,dc=com) by hand....

# readonly replication manager
dn: cn=readonly replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: readonly replication manager
sn: RORM
userPassword: NotTheRealPassword
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

Replication Entry:

# no dc=ipa in the dn!
dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: replica
nsds5replicaid: 65535
nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com
nsds5replicatype: 2
nsds5ReplicaPurgeDelay: 604800
nsds5ReplicaBindDN: cn=replication manager,cn=config
nsds5flags: 1

# on supplier (one of our IPA-servers)
# on our IPA-servers, dc=ipa is included
dn: cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config
objectclass: top
objectclass: nsds5ReplicationAgreement
cn: accounts2hermes
nsds5replicahost: mail.example.com
nsds5replicaport: 389
nsds5ReplicaBindDN: cn=readonly replication manager,cn=config
nsds5replicabindmethod: SIMPLE
nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com
description: replicate cn=accounts from ipa to hermes
nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE authorityRevocationList accountUnlockTime memberof nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE accountUnlockTime
nsds5replicacredentials: notTheRealButSameAsAbove
nsds5ReplicaIgnoreMissingChange: once
nsds5BeginReplicaRefresh: start

After some log-entries regarding the schema versions, we stopped the consumer and copied the schema from the supplier to the consumer by hand... This fixed most of the noise in the log, but we are still getting the following error:

[18/May/2017:10:23:41.311816674 +0200] NSMMReplicationPlugin - agmt="cn=accountsToMail" (mail:389): The remote replica has a different database generation ID tha n the local database. You may have to reinitialize the remote replica, or the local replica.

Of course, we tried to re-initialize the remote-replica by,

dn: cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config
changetype: modify
replace: nsds5BeginReplicaRefresh
nsds5BeginReplicaRefresh: start

What are we missing?

Best regards,


Bernhard Kneip

E-Mail: bernhard.kn...@isa.de.com
Tel: +49(0)3677/46929-144
Internet: www.isa.de.com

ISA Institut für Serviceautomation GmbH & Co. KG
Ziolkowskistraße 8, 98693 Ilmenau
Amtsgericht Jena, HRA 301735
persönlich haftende Gesellschafterin: ISA GmbH
Amtsgericht Jena, HRB 306708
Geschäftsführer: Dr.-Ing. Walther Spies, Dipl.-Ing. (FH) Peter Mayer


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to