Re: [Freeipa-users] cant create winsync reolication
On 01/31/2014 12:59 PM, Todd Maugh wrote: please help im stuck trying to finish this winsync agreement [r...@se-idm-01.boingo.com slapd-BOINGO-COM]$ ipa-replica-manage connect --winsync --binddn cn=idm admin, cn=Users, dc=boingoqa, dc=local --bindpw *** --passsync --cacert=/etc/openldap/cacerts/boingoqaCA.cer qatestdc2.boingoqa.local -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/boingoqaCA.cer to certificate database for se-idm-01.boingo.com ipa: INFO: AD Suffix is: DC=boingoqa,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=boingo,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [se-idm-01.boingo.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Some DS level logs might help. Also may it be a firewall issue? FW resetting connection or something like? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant create winsync reolication
RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin [31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads to terminate [31/Jan/2014:19:14:09 +] - slapd shutting down - closing down internal subsystems and plugins [31/Jan/2014:19:14:09 +] - Waiting for 4 database threads to stop [31/Jan/2014:19:14:09 +] - All database threads now stopped [31/Jan/2014:19:14:09 +] - slapd stopped. [31/Jan/2014:19:14:12 +] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:14:12 +] set_krb5_creds - Could not get initial credentials for principal [ldap/se-idm-01.boingo@boingo.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [31/Jan/2014:19:14:12 +] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:14:12 +] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [31/Jan/2014:19:14:12 +] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [31/Jan/2014:19:14:12 +] NSMMReplicationPlugin - agmt=cn=meTose-idm-02.boingo.com (se-idm-02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [31/Jan/2014:19:14:12 +] - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Jan/2014:19:14:12 +] - Listening on All Interfaces port 636 for LDAPS requests [31/Jan/2014:19:14:12 +] - Listening on /var/run/slapd-BOINGO-COM.socket for LDAPI requests [31/Jan/2014:19:14:16 +] NSMMReplicationPlugin - agmt=cn=meTose-idm-02.boingo.com (se-idm-02:389): Replication bind with GSSAPI auth resumed [31/Jan/2014:19:15:18 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:15:18
Re: [Freeipa-users] cant create winsync reolication
[r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.localUrlBlockedError.aspx -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin [31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads to terminate [31/Jan/2014:19:14:09 +] - slapd shutting down - closing down internal subsystems and plugins [31/Jan/2014:19:14:09 +] - Waiting for 4 database threads to stop [31/Jan/2014:19:14:09 +] - All database threads now stopped [31/Jan/2014:19:14:09 +] - slapd stopped. [31/Jan/2014:19:14:12 +] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=ng, cn
Re: [Freeipa-users] cant create winsync reolication
thank you for the reply. here is the out put of the first command. I'm going to run the second now and will reply with that as well LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W 'objectclass=*' dn ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local) ldap_create ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.194.55.48:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x260a160 msgid 1 wait4msg ld 0x260a160 msgid 1 (infinite timeout) wait4msg continue ld 0x260a160 msgid 1 all 1 ** ld 0x260a160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 21:07:43 2014 ** ld 0x260a160 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x260a160 request count 1 (abandoned 0) ** ld 0x260a160 Response Queue: Empty ld 0x260a160 response count 0 ldap_chkResponseList ld 0x260a160 msgid 1 all 1 ldap_chkResponseList returns ld 0x260a160 NULL ldap_int_select read1msg: ld 0x260a160 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x260a160 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x260a160 0 new referrals read1msg: mark request completed, ld 0x260a160 msgid 1 request done: ld 0x260a160 msgid 1 res_errno: 0, res_error: , res_matched: ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix . TLS: loaded CA certificate file /etc/ipa/ca.crt. TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 65 bytes to sd 3 ldap_result ld 0x260a160 msgid 2 wait4msg ld 0x260a160 msgid 2 (infinite timeout) wait4msg continue ld 0x260a160 msgid 2 all 1 ** ld 0x260a160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 21:07:50 2014 ** ld 0x260a160 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x260a160 request count 1 (abandoned 0) ** ld 0x260a160 Response Queue: Empty ld 0x260a160 response count 0 ldap_chkResponseList ld 0x260a160 msgid 2 all 1 ldap_chkResponseList returns ld 0x260a160 NULL ldap_int_select read1msg: ld 0x260a160 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x260a160 msgid 2 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x260a160 0 new referrals read1msg: mark request completed, ld 0x260a160 msgid 2 request done: ld 0x260a160 msgid 2 res_errno: 0, res_error: , res_matched: ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search_ext put_filter: objectclass=* put_filter: default put_simple_filter: objectclass=* ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 85 bytes to sd 3 ldap_result ld 0x260a160 msgid -1 wait4msg ld 0x260a160 msgid -1 (infinite timeout) wait4msg continue ld 0x260a160 msgid -1 all 0 ** ld 0x260a160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 21:07:50 2014 ** ld 0x260a160 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x260a160 request count 1 (abandoned 0) ** ld 0x260a160 Response Queue: Empty ld 0x260a160 response count 0 ldap_chkResponseList ld 0x260a160 msgid -1 all 0 ldap_chkResponseList returns ld 0x260a160 NULL ldap_int_select read1msg: ld 0x260a160 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 59 contents: read1msg: ld 0x260a160 msgid 3 message type
Re: [Freeipa-users] cant create winsync reolication
On 01/31/2014 01:55 PM, Todd Maugh wrote: [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 I'd like to look at the debug output, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W 'objectclass=*' dn The 389 errors log indicates cannot connect which usually means some sort of SSL error. Unfortunately the logging leaves something to be desired in the way of information necessary to diagnose and fix the problem. If that doesn't help, let's take a look at your winsync agreement configuration: ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Friday, January 31, 2014 12:39 PM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +
Re: [Freeipa-users] cant create winsync reolication
For the second Command I do not have an account called directory manager, so I do not have a password ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ldap_bind: Invalid credentials (49) From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, January 31, 2014 12:55 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.localUrlBlockedError.aspx -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin [31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads
Re: [Freeipa-users] cant create winsync reolication
I used the IPA directory manager password and got no output [r...@se-idm-01.boingo.com cacerts]$ ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: From: Todd Maugh Sent: Friday, January 31, 2014 1:11 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] cant create winsync reolication For the second Command I do not have an account called directory manager, so I do not have a password ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ldap_bind: Invalid credentials (49) From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, January 31, 2014 12:55 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.localUrlBlockedError.aspx -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error
Re: [Freeipa-users] cant create winsync reolication
On 01/31/2014 02:09 PM, Todd Maugh wrote: thank you for the reply. here is the out put of the first command. I'm going to run the second now and will reply with that as well LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W 'objectclass=*' dn ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local) ldap_create ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.194.55.48:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x260a160 msgid 1 wait4msg ld 0x260a160 msgid 1 (infinite timeout) wait4msg continue ld 0x260a160 msgid 1 all 1 ** ld 0x260a160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 21:07:43 2014 ** ld 0x260a160 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x260a160 request count 1 (abandoned 0) ** ld 0x260a160 Response Queue: Empty ld 0x260a160 response count 0 ldap_chkResponseList ld 0x260a160 msgid 1 all 1 ldap_chkResponseList returns ld 0x260a160 NULL ldap_int_select read1msg: ld 0x260a160 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x260a160 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x260a160 0 new referrals read1msg: mark request completed, ld 0x260a160 msgid 1 request done: ld 0x260a160 msgid 1 res_errno: 0, res_error: , res_matched: ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix . TLS: loaded CA certificate file /etc/ipa/ca.crt. Can you provide your /etc/openldap/ldap.conf? TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match. This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem? TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 65 bytes to sd 3 ldap_result ld 0x260a160 msgid 2 wait4msg ld 0x260a160 msgid 2 (infinite timeout) wait4msg continue ld 0x260a160 msgid 2 all 1 ** ld 0x260a160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 21:07:50 2014 ** ld 0x260a160 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x260a160 request count 1 (abandoned 0) ** ld 0x260a160 Response Queue: Empty ld 0x260a160 response count 0 ldap_chkResponseList ld 0x260a160 msgid 2 all 1 ldap_chkResponseList returns ld 0x260a160 NULL ldap_int_select read1msg: ld 0x260a160 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x260a160 msgid 2 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x260a160 0 new referrals read1msg: mark request completed, ld 0x260a160 msgid 2 request done: ld 0x260a160 msgid 2 res_errno: 0, res_error: , res_matched: ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search_ext put_filter: objectclass=* put_filter: default put_simple_filter: objectclass=* ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 85 bytes to sd 3 ldap_result ld 0x260a160 msgid -1 wait4msg ld 0x260a160 msgid -1 (infinite timeout) wait4msg continue ld 0x260a160 msgid -1 all 0 ** ld 0x260a160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 21:07:50 2014 ** ld 0x260a160 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x260a160 request count 1 (abandoned 0) ** ld 0x260a160
Re: [Freeipa-users] cant create winsync reolication
On 01/31/2014 02:14 PM, Todd Maugh wrote: I used the IPA directory manager password and got no output [r...@se-idm-01.boingo.com cacerts]$ ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: Very strange. Try this: ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsds5replicationagreement' *From:* Todd Maugh *Sent:* Friday, January 31, 2014 1:11 PM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* RE: [Freeipa-users] cant create winsync reolication For the second Command I do not have an account called directory manager, so I do not have a password ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ldap_bind: Invalid credentials (49) *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Friday, January 31, 2014 12:55 PM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] cant create winsync reolication [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Friday, January 31, 2014 12:39 PM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31
Re: [Freeipa-users] cant create winsync reolication
Ok that time i got output [r...@se-idm-01.boingo.com slapd-BOINGO-COM]$ ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsds5replicationagreement' Enter LDAP Password: dn: cn=meTose-idm-02.boingo.com,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mappin g tree,cn=config cn: meTose-idm-02.boingo.com objectClass: nsds5replicationagreement objectClass: top nsDS5ReplicaTransportInfo: LDAP description: me to se-idm-02.boingo.com nsDS5ReplicaRoot: dc=boingo,dc=com nsDS5ReplicaHost: se-idm-02.boingo.com nsds5replicaTimeout: 120 nsDS5ReplicaPort: 389 nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount nsds50ruv: {replicageneration} 52e153690004 nsds50ruv: {replica 3 ldap://se-idm-02.boingo.com:389} 52e1537200010003 52 ebf4230003 nsds50ruv: {replica 4 ldap://se-idm-01.boingo.com:389} 52e153d500020004 52 ebf6280004 nsruvReplicaLastModified: {replica 3 ldap://se-idm-02.boingo.com:389} nsruvReplicaLastModified: {replica 4 ldap://se-idm-01.boingo.com:389} nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20140131210414Z nsds5replicaLastUpdateEnd: 20140131210414Z nsds5replicaChangesSentSinceStartup:: NDozLzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant create winsync reolication
returns ld 0x1fe2160 NULL ldap_int_select read1msg: ld 0x1fe2160 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 59 contents: read1msg: ld 0x1fe2160 msgid 3 message type search-entry ldap_get_dn_ber ber_scanf fmt ({ml{) ber: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local ber_scanf fmt ({xx) ber: ldap_get_attribute_ber ldap_msgfree ldap_result ld 0x1fe2160 msgid -1 wait4msg ld 0x1fe2160 msgid -1 (infinite timeout) wait4msg continue ld 0x1fe2160 msgid -1 all 0 ** ld 0x1fe2160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:23 2014 ** ld 0x1fe2160 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0 ldap_chkResponseList returns ld 0x1fe2160 NULL read1msg: ld 0x1fe2160 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x1fe2160 msgid 3 message type search-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x1fe2160 0 new referrals read1msg: mark request completed, ld 0x1fe2160 msgid 3 request done: ld 0x1fe2160 msgid 3 res_errno: 0, res_error: , res_matched: ldap_free_request (origid 3, msgid 3) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Friday, January 31, 2014 3:58 PM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 04:13 PM, Todd Maugh wrote: asked: Can you provide your /etc/openldap/ldap.conf? answer: /etc/openldap/ldap.con #File modified by ipa-client-install URI ldaps://se-idm-01.boingo.com BASE dc=boingo,dc=com TLS_CACERT /etc/ipa/ca.crt TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow This will allow errors where the hostname in the cert subject DN does not match the IP address or vice versa. What happens if you set it to TLS_REQCERT demand? Or, if you don't want to touch this file (because it will probably break other things), try this: LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W 'objectclass=*' dn If that works, then please provide the output of rpm -q 389-ds-base openldap nss ping TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match. This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem? PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data. 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 ttl=124 time=0.559 ms 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 ttl=124 time=0.660 ms ^C --- qatestdc2.boingoqa.local ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1070ms rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms Ok. Does 10.194.55.48 resolve to qatestdc2.boingoqa.local? TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant create winsync reolication
asked: Can you provide your /etc/openldap/ldap.conf? answer: /etc/openldap/ldap.con #File modified by ipa-client-install URI ldaps://se-idm-01.boingo.com BASE dc=boingo,dc=com TLS_CACERT /etc/ipa/ca.crt TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow ping TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match. This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem? PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data. 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 ttl=124 time=0.559 ms 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 ttl=124 time=0.660 ms ^C --- qatestdc2.boingoqa.local ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1070ms rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users