Re: [Freeipa-users] cant create winsync reolication
On 01/31/2014 12:59 PM, Todd Maugh wrote: please help im stuck trying to finish this winsync agreement [r...@se-idm-01.boingo.com slapd-BOINGO-COM]$ ipa-replica-manage connect --winsync --binddn cn=idm admin, cn=Users, dc=boingoqa, dc=local --bindpw *** --passsync --cacert=/etc/openldap/cacerts/boingoqaCA.cer qatestdc2.boingoqa.local -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/boingoqaCA.cer to certificate database for se-idm-01.boingo.com ipa: INFO: AD Suffix is: DC=boingoqa,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=boingo,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [se-idm-01.boingo.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Some DS level logs might help. Also may it be a firewall issue? FW resetting connection or something like? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant create winsync reolication
RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin [31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads to terminate [31/Jan/2014:19:14:09 +] - slapd shutting down - closing down internal subsystems and plugins [31/Jan/2014:19:14:09 +] - Waiting for 4 database threads to stop [31/Jan/2014:19:14:09 +] - All database threads now stopped [31/Jan/2014:19:14:09 +] - slapd stopped. [31/Jan/2014:19:14:12 +] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:14:12 +] set_krb5_creds - Could not get initial credentials for principal [ldap/se-idm-01.boingo@boingo.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [31/Jan/2014:19:14:12 +] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:14:12 +] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [31/Jan/2014:19:14:12 +] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [31/Jan/2014:19:14:12 +] NSMMReplicationPlugin - agmt=cn=meTose-idm-02.boingo.com (se-idm-02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [31/Jan/2014:19:14:12 +] - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Jan/2014:19:14:12 +] - Listening on All Interfaces port 636 for LDAPS requests [31/Jan/2014:19:14:12 +] - Listening on /var/run/slapd-BOINGO-COM.socket for LDAPI requests [31/Jan/2014:19:14:16 +] NSMMReplicationPlugin - agmt=cn=meTose-idm-02.boingo.com (se-idm-02:389): Replication bind with GSSAPI auth resumed [31/Jan/2014:19:15:18 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:15:18
Re: [Freeipa-users] cant create winsync reolication
[r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.localUrlBlockedError.aspx -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin [31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads to terminate [31/Jan/2014:19:14:09 +] - slapd shutting down - closing down internal subsystems and plugins [31/Jan/2014:19:14:09 +] - Waiting for 4 database threads to stop [31/Jan/2014:19:14:09 +] - All database threads now stopped [31/Jan/2014:19:14:09 +] - slapd stopped. [31/Jan/2014:19:14:12 +] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=ng, cn
Re: [Freeipa-users] cant create winsync reolication
thank you for the reply. here is the out put of the first command. I'm going to
run the second now and will reply with that as well
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H
ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local
-D cn=idm admin,cn=users,dc=boingoqa,dc=local -W 'objectclass=*' dn
ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local)
ldap_create
ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.194.55.48:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x260a160 msgid 1
wait4msg ld 0x260a160 msgid 1 (infinite timeout)
wait4msg continue ld 0x260a160 msgid 1 all 1
** ld 0x260a160 Connections:
* host: qatestdc2.boingoqa.local port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 31 21:07:43 2014
** ld 0x260a160 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x260a160 request count 1 (abandoned 0)
** ld 0x260a160 Response Queue:
Empty
ld 0x260a160 response count 0
ldap_chkResponseList ld 0x260a160 msgid 1 all 1
ldap_chkResponseList returns ld 0x260a160 NULL
ldap_int_select
read1msg: ld 0x260a160 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x260a160 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x260a160 0 new referrals
read1msg: mark request completed, ld 0x260a160 msgid 1
request done: ld 0x260a160 msgid 1
res_errno: 0, res_error: , res_matched:
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/'
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix .
TLS: loaded CA certificate file /etc/ipa/ca.crt.
TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error
-8179:Peer's Certificate issuer is not recognized..
TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer:
CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high,
secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0,
cache not reusable: 0
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 65 bytes to sd 3
ldap_result ld 0x260a160 msgid 2
wait4msg ld 0x260a160 msgid 2 (infinite timeout)
wait4msg continue ld 0x260a160 msgid 2 all 1
** ld 0x260a160 Connections:
* host: qatestdc2.boingoqa.local port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 31 21:07:50 2014
** ld 0x260a160 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x260a160 request count 1 (abandoned 0)
** ld 0x260a160 Response Queue:
Empty
ld 0x260a160 response count 0
ldap_chkResponseList ld 0x260a160 msgid 2 all 1
ldap_chkResponseList returns ld 0x260a160 NULL
ldap_int_select
read1msg: ld 0x260a160 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x260a160 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x260a160 0 new referrals
read1msg: mark request completed, ld 0x260a160 msgid 2
request done: ld 0x260a160 msgid 2
res_errno: 0, res_error: , res_matched:
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: objectclass=*
put_filter: default
put_simple_filter: objectclass=*
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 85 bytes to sd 3
ldap_result ld 0x260a160 msgid -1
wait4msg ld 0x260a160 msgid -1 (infinite timeout)
wait4msg continue ld 0x260a160 msgid -1 all 0
** ld 0x260a160 Connections:
* host: qatestdc2.boingoqa.local port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 31 21:07:50 2014
** ld 0x260a160 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x260a160 request count 1 (abandoned 0)
** ld 0x260a160 Response Queue:
Empty
ld 0x260a160 response count 0
ldap_chkResponseList ld 0x260a160 msgid -1 all 0
ldap_chkResponseList returns ld 0x260a160 NULL
ldap_int_select
read1msg: ld 0x260a160 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 59 contents:
read1msg: ld 0x260a160 msgid 3 message type
Re: [Freeipa-users] cant create winsync reolication
On 01/31/2014 01:55 PM, Todd Maugh wrote: [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 I'd like to look at the debug output, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W 'objectclass=*' dn The 389 errors log indicates cannot connect which usually means some sort of SSL error. Unfortunately the logging leaves something to be desired in the way of information necessary to diagnose and fix the problem. If that doesn't help, let's take a look at your winsync agreement configuration: ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Friday, January 31, 2014 12:39 PM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +
Re: [Freeipa-users] cant create winsync reolication
For the second Command I do not have an account called directory manager, so I do not have a password ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ldap_bind: Invalid credentials (49) From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, January 31, 2014 12:55 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.localUrlBlockedError.aspx -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin [31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads
Re: [Freeipa-users] cant create winsync reolication
I used the IPA directory manager password and got no output [r...@se-idm-01.boingo.com cacerts]$ ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: From: Todd Maugh Sent: Friday, January 31, 2014 1:11 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] cant create winsync reolication For the second Command I do not have an account called directory manager, so I do not have a password ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ldap_bind: Invalid credentials (49) From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, January 31, 2014 12:55 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.localUrlBlockedError.aspx -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error
Re: [Freeipa-users] cant create winsync reolication
On 01/31/2014 02:09 PM, Todd Maugh wrote:
thank you for the reply. here is the out put of the first command. I'm
going to run the second now and will reply with that as well
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx
-ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm
admin,cn=users,dc=boingoqa,dc=local -D cn=idm
admin,cn=users,dc=boingoqa,dc=local -W 'objectclass=*' dn
ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local)
ldap_create
ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.194.55.48:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x260a160 msgid 1
wait4msg ld 0x260a160 msgid 1 (infinite timeout)
wait4msg continue ld 0x260a160 msgid 1 all 1
** ld 0x260a160 Connections:
* host: qatestdc2.boingoqa.local port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 31 21:07:43 2014
** ld 0x260a160 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x260a160 request count 1 (abandoned 0)
** ld 0x260a160 Response Queue:
Empty
ld 0x260a160 response count 0
ldap_chkResponseList ld 0x260a160 msgid 1 all 1
ldap_chkResponseList returns ld 0x260a160 NULL
ldap_int_select
read1msg: ld 0x260a160 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x260a160 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x260a160 0 new referrals
read1msg: mark request completed, ld 0x260a160 msgid 1
request done: ld 0x260a160 msgid 1
res_errno: 0, res_error: , res_matched:
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/'
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix .
TLS: loaded CA certificate file /etc/ipa/ca.crt.
Can you provide your /etc/openldap/ldap.conf?
TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error
-8179:Peer's Certificate issuer is not recognized..
This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP
address does not match.
This is usually a problem, but perhaps you have set your ldap.conf to
continue despite this problem?
TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local,
issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security
level: high, secret key bits: 128, total key bits: 128, cache hits: 0,
cache misses: 0, cache not reusable: 0
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 65 bytes to sd 3
ldap_result ld 0x260a160 msgid 2
wait4msg ld 0x260a160 msgid 2 (infinite timeout)
wait4msg continue ld 0x260a160 msgid 2 all 1
** ld 0x260a160 Connections:
* host: qatestdc2.boingoqa.local port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 31 21:07:50 2014
** ld 0x260a160 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x260a160 request count 1 (abandoned 0)
** ld 0x260a160 Response Queue:
Empty
ld 0x260a160 response count 0
ldap_chkResponseList ld 0x260a160 msgid 2 all 1
ldap_chkResponseList returns ld 0x260a160 NULL
ldap_int_select
read1msg: ld 0x260a160 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x260a160 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x260a160 0 new referrals
read1msg: mark request completed, ld 0x260a160 msgid 2
request done: ld 0x260a160 msgid 2
res_errno: 0, res_error: , res_matched:
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: objectclass=*
put_filter: default
put_simple_filter: objectclass=*
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 85 bytes to sd 3
ldap_result ld 0x260a160 msgid -1
wait4msg ld 0x260a160 msgid -1 (infinite timeout)
wait4msg continue ld 0x260a160 msgid -1 all 0
** ld 0x260a160 Connections:
* host: qatestdc2.boingoqa.local port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 31 21:07:50 2014
** ld 0x260a160 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x260a160 request count 1 (abandoned 0)
** ld 0x260a160
Re: [Freeipa-users] cant create winsync reolication
On 01/31/2014 02:14 PM, Todd Maugh wrote: I used the IPA directory manager password and got no output [r...@se-idm-01.boingo.com cacerts]$ ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: Very strange. Try this: ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsds5replicationagreement' *From:* Todd Maugh *Sent:* Friday, January 31, 2014 1:11 PM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* RE: [Freeipa-users] cant create winsync reolication For the second Command I do not have an account called directory manager, so I do not have a password ldapsearch -LLLx -b cn=config -D cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ldap_bind: Invalid credentials (49) *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Friday, January 31, 2014 12:55 PM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] cant create winsync reolication [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Friday, January 31, 2014 12:39 PM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm admin,cn=users,dc=boingoqa,dc=local -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31
Re: [Freeipa-users] cant create winsync reolication
Ok that time i got output
[r...@se-idm-01.boingo.com slapd-BOINGO-COM]$ ldapsearch -LLLx -b cn=config
-D cn=directory manager -W 'objectclass=nsds5replicationagreement'
Enter LDAP Password:
dn: cn=meTose-idm-02.boingo.com,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mappin
g tree,cn=config
cn: meTose-idm-02.boingo.com
objectClass: nsds5replicationagreement
objectClass: top
nsDS5ReplicaTransportInfo: LDAP
description: me to se-idm-02.boingo.com
nsDS5ReplicaRoot: dc=boingo,dc=com
nsDS5ReplicaHost: se-idm-02.boingo.com
nsds5replicaTimeout: 120
nsDS5ReplicaPort: 389
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 52e153690004
nsds50ruv: {replica 3 ldap://se-idm-02.boingo.com:389} 52e1537200010003 52
ebf4230003
nsds50ruv: {replica 4 ldap://se-idm-01.boingo.com:389} 52e153d500020004 52
ebf6280004
nsruvReplicaLastModified: {replica 3 ldap://se-idm-02.boingo.com:389}
nsruvReplicaLastModified: {replica 4 ldap://se-idm-01.boingo.com:389}
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20140131210414Z
nsds5replicaLastUpdateEnd: 20140131210414Z
nsds5replicaChangesSentSinceStartup:: NDozLzAg
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant create winsync reolication
returns ld 0x1fe2160 NULL
ldap_int_select
read1msg: ld 0x1fe2160 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 59 contents:
read1msg: ld 0x1fe2160 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1fe2160 msgid -1
wait4msg ld 0x1fe2160 msgid -1 (infinite timeout)
wait4msg continue ld 0x1fe2160 msgid -1 all 0
** ld 0x1fe2160 Connections:
* host: qatestdc2.boingoqa.local port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 31 23:59:23 2014
** ld 0x1fe2160 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x1fe2160 request count 1 (abandoned 0)
** ld 0x1fe2160 Response Queue:
Empty
ld 0x1fe2160 response count 0
ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0
ldap_chkResponseList returns ld 0x1fe2160 NULL
read1msg: ld 0x1fe2160 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x1fe2160 msgid 3 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1fe2160 0 new referrals
read1msg: mark request completed, ld 0x1fe2160 msgid 3
request done: ld 0x1fe2160 msgid 3
res_errno: 0, res_error: , res_matched:
ldap_free_request (origid 3, msgid 3)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Friday, January 31, 2014 3:58 PM
*To:* Todd Maugh; d...@redhat.com
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] cant create winsync reolication
On 01/31/2014 04:13 PM, Todd Maugh wrote:
asked: Can you provide your /etc/openldap/ldap.conf?
answer:
/etc/openldap/ldap.con
#File modified by ipa-client-install
URI ldaps://se-idm-01.boingo.com
BASE dc=boingo,dc=com
TLS_CACERT /etc/ipa/ca.crt
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
This will allow errors where the hostname in the cert subject DN does
not match the IP address or vice versa.
What happens if you set it to TLS_REQCERT demand?
Or, if you don't want to touch this file (because it will probably
break other things), try this:
LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/
ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b
cn=idm admin,cn=users,dc=boingoqa,dc=local -D cn=idm
admin,cn=users,dc=boingoqa,dc=local -W 'objectclass=*' dn
If that works, then please provide the output of
rpm -q 389-ds-base openldap nss
ping
TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error
-8179:Peer's Certificate issuer is not recognized..
This is saying QATESTDC2.boingoqa.local cannot be resolved - or the
IP address does not match.
This is usually a problem, but perhaps you have set your ldap.conf to
continue despite this problem?
PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data.
64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1
ttl=124 time=0.559 ms
64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2
ttl=124 time=0.660 ms
^C
--- qatestdc2.boingoqa.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1070ms
rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms
Ok. Does 10.194.55.48 resolve to qatestdc2.boingoqa.local?
TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local,
issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security
level: high, secret key bits: 128, total key bits: 128, cache hits:
0, cache misses: 0, cache not reusable: 0
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant create winsync reolication
asked: Can you provide your /etc/openldap/ldap.conf? answer: /etc/openldap/ldap.con #File modified by ipa-client-install URI ldaps://se-idm-01.boingo.com BASE dc=boingo,dc=com TLS_CACERT /etc/ipa/ca.crt TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow ping TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match. This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem? PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data. 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 ttl=124 time=0.559 ms 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 ttl=124 time=0.660 ms ^C --- qatestdc2.boingoqa.local ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1070ms rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
